Telecom 7 min read

Protecting telecom networks from signaling fraud: SS7, Diameter, and SIP security architecture

An analysis of signaling protocol vulnerabilities and methods for building architectural defenses against fraud in telecommunications networks.

The modern telecommunications landscape faces a fundamental paradox. On one hand, enterprises are actively deploying intelligent contact centers, automated AI-based customer service systems (Voice AI), and complex B2B2C services. On the other, this innovative layer operates atop signaling infrastructure designed decades ago without considering rigorous cybersecurity requirements. As a result, the legacy signaling core has evolved from a classic technical debt into a direct financial threat.

According to the CFCA Global Fraud Loss Survey 2025, global losses from telecom fraud reached $41.82 billion, significantly exceeding the $38.95 billion recorded in 2023. Subscription fraud alone generates approximately $5.31 billion in annual losses, while International Revenue Share Fraud (IRSF) accounts for $6.23 billion. The situation is exacerbated by attackers increasingly automating the exploitation of signaling system vulnerabilities to bypass modern authentication methods.

Legacy cores as a financial drain: why old protocols threaten new budgets

Many organizations mistakenly believe that securing the communication perimeter is limited to installing a firewall or connecting a basic anti-fraud module from a local provider. However, the root of the problem lies much deeper—in the architecture of SS7 and Diameter signaling protocols and insecure SIP implementations.

Analysis by ENISA (Threat Landscape 2025) confirms that the exploitation of legacy signaling protocols remains an active attack vector against mobile networks. The report notes that digital infrastructure and services accounted for approximately 27.7% of all recorded data breaches. When corporate systems rely on mobile networks to send one-time passwords (OTP) or perform voice transaction verification, they automatically inherit critical vulnerabilities from the signaling layer.

Anatomy of signaling threats: how SS7, Diameter, and insecure SIP become attack vectors

To understand the scale of the threat, it is necessary to examine the technical nature of the vulnerabilities within the primary signaling stacks:

  • SS7 (Signaling System No. 7): This protocol was created in an era of trusted state-owned telecom operators, lacking mutual cryptographic authentication of nodes. An entity that gains access to a signaling port can send MAP (Mobile Application Part) requests. This opens the door to intercepting SMS messages, tracking subscriber geolocation, and redirecting calls.
  • Diameter: Although this protocol, which replaced SS7 in 4G/LTE networks, supports IP security (IPsec), in practice, inter-operator interconnects are often misconfigured or routed through transit hubs. This allows for Denial of Service (DoS) attacks or unauthorized access to user profiles.
  • Insecure SIP (Session Initiation Protocol): The primary protocol for modern VoIP telephony. In the absence of signaling (SIPS) and media traffic (SRTP) encryption, attackers can not only eavesdrop on conversations but also inject signaling messages to generate fake traffic or spoof caller IDs.

Real-world scenarios of business service compromise

  1. SMS interception to bypass MFA: Attackers use SS7/Diameter vulnerabilities to manipulate requests (e.g., Update Location), redirecting signaling traffic to a controlled switch. As a result, SMS confirmation codes (OTP) are delivered to the attacker, leading to account takeover.
  2. Manipulating AI contact centers via Caller ID spoofing: Many enterprises use voice biometrics or caller identification for authentication. Attackers spoof the Caller Line Identification (CLI) in SIP INVITE requests. The AI agent, relying on the forged CLI, grants access to sensitive customer data.
  3. Bypassing provisioning systems: Due to the lack of strict identity verification in protocols, automated operator systems may accept forged activation requests. This leads to large-scale subscription fraud, with bills issued to legitimate customers.

Architectural shield: implementing STIR/SHAKEN and cryptographic SIP Identity verification

To combat Caller ID spoofing at the IP network level, the industry is implementing the STIR/SHAKEN suite of standards. While not a panacea for all types of fraud, the standard creates the necessary cryptographic foundation for trust in voice calls.

As defined in the IETF RFC 8224 technical standard, the mechanism is based on the SIP Identity header. According to the requirements of the U.S. Federal Communications Commission (FCC), the process includes two key components:

  • Caller ID authentication and verification: The originating operator confirms the caller's right to use the number and adds a digital signature (PASSporT token) to the SIP INVITE message. The receiving party verifies this signature using a public key.
  • Certificate governance: A public key infrastructure ensures that certificates for signing calls are issued exclusively to authorized providers.

An important nuance: STIR/SHAKEN remains effective only in end-to-end SIP networks. If a call passes through legacy transits (TDM/SS7), the digital signature may be lost. Regarding mobile networks, the transition to 5G Standalone (SA) architecture improves the situation through the use of HTTP/2 and mandatory interface encryption via SEPP (Security Edge Protection Proxy). However, 5G architecture does not automatically eliminate vulnerabilities—its reliability depends critically on the correct configuration of security policies at network boundaries.

Practical approach to securing the telecom perimeter

Avoiding signaling threats requires a transition from ad-hoc infrastructure patching to a systematic architectural approach. To protect corporate communications and operator transit, the technology alliance Intecracy Group (an alliance of independent companies linked by partner agreements and share exchanges) suggests integrating specialized telecom solutions with a robust application management layer.

For secure voice routing, the operator-grade VoIP platform DooxSwitch is utilized. As a softswitch with built-in real-time billing, the platform supports Least Cost Routing (LCR) mechanisms and session anomaly detection during call setup. Its architecture allows for:

  • Controlling and verifying SIP headers to reduce the risk of caller ID spoofing;
  • Instantly blocking unauthorized traffic generation to premium destinations (protection against IRSF);
  • Isolating internal corporate telephony from external threats through integration with Session Border Controllers (SBC).

For building high-reliability administrative interfaces (OSS/BSS), monitoring systems, portals, and integration gateways, the low-code platform UnityBase can be applied. UnityBase is a joint development of Intecracy Group companies (with InBase acting as a key developer). Using a unified domain metadata model, the platform allows for the rapid creation of enterprise applications with strict audit and security requirements.

The UnityBase platform provides strict access control at the row and attribute level (RLS/ACL), detailed audit trails, and the ability to deploy on-premises for full data control. For telecom projects with heightened security requirements or high loads, the platform's official documentation recommends using commercial Enterprise (EE) or Defence (DE) editions, which support advanced cryptographic tools and integration with external security systems.

Attack vectorProtocolBusiness impactArchitectural solution
Caller ID spoofingSIP (VoIP)Bypassing voice 2FA, social engineeringImplementation of RFC 8224 (SIP Identity header) and STIR/SHAKEN
SMS/traffic interceptionSS7 / DiameterOTP password compromise, customer data leakageInstallation of signaling firewalls (SS7/Diameter Firewall), transition to 5G Standalone Core
Interconnect fraud (IRSF)SIP / ISUPArtificial traffic generation to premium numbers, massive lossesIntegration of real-time billing with LCR and session limits

The security of modern telecommunications networks is not a matter of installing separate software, but of architectural core resilience. Only a combination of reliable identification (STIR/SHAKEN), secure routing, and strict access control at the integration platform level will allow enterprises to safely scale AI services without the risk of multi-million dollar financial losses.

FAQ

How exactly does the implementation of STIR/SHAKEN protect a corporate contact center from fraud?

STIR/SHAKEN adds a cryptographic signature (Identity token according to RFC 8224) to the SIP request at the call initiation stage. The contact center, upon receiving the call, verifies this signature via a public key infrastructure (PKI). This allows for precise determination of whether the call was initiated by the true owner of the number or if it is an attempt at Caller ID spoofing by an attacker.

Does the transition to 5G Standalone solve all security problems of SS7 and Diameter signaling protocols?

No. Although 5G Standalone replaces legacy signaling protocols with HTTP/2 and introduces secure SEPP (Security Edge Protection Proxy) gateways for inter-network exchange, vulnerabilities may persist. If the network interacts with legacy segments (2G/3G/4G) or if filtering policies on the SEPP are configured incorrectly, the infrastructure remains open to attacks.

What are the minimum requirements for upgrading a SIP core for the secure integration of AI assistants?

Minimum requirements include the mandatory use of signaling (TLS/SIPS) and media stream (SRTP) encryption, the implementation of Session Border Controllers (SBC) for traffic filtering, integration with SIP Identity verification systems, and the use of solutions with real-time billing (e.g., DooxSwitch) for the automatic detection and blocking of anomalous sessions.

Data sources

Sources & materials

Materials and sources used in this article.

  1. CFCA Global Fraud Loss Survey 2025 — cfca.org
  2. ENISA Threat Landscape 2025 — enisa.europa.eu
  3. FCC First Caller ID Authentication Report and Order — docs.fcc.gov
  4. IETF: RFC 8224: Authenticated Identity Management in SIP — ietf.org
  5. 3GPP — Mobile Standards — 3gpp.org