The open secret of mobile network signalling security

Every mobile connection begins long before a call is made or a message is sent. Hidden beneath the user plane is the control plane, the signalling layer quietly orchestrating how devices authenticate, move, and communicate across networks worldwide. For more than a decade, mobile network signalling security has been described, documented, assessed, and “addressed.  

But in practice, the same vulnerabilities keep returning, sometimes with financial impact, sometimes with operational disruption, and often unnoticed by the subscriber. 

This is not a story of emerging threats. It is a story of known, lingering risks, preserved through long‑standing interconnect models and global roaming arrangements built on assumed trust.  

Signalling security remains one of the least understood, and most underestimated, risk areas in mobile networks. Not because it is obscure, but because it sits at the uncomfortable intersection of technology, trust, and commercial reality. 

In this blog, we trace the problem from SS7 through Diameter to 5G, looking at the challenges signalling security has faced in the past and is still facing today, leading us to the question of whether the hard part was ever the protocol, or the willingness to act. 

When we talk about mobile network security, most people instinctively think about encryption, SIM authentication, or application level protections. Those are important, but they are not where signalling security lives. 

Signalling is the control plane of the mobile network. It is how networks: 

• Locate subscribers 

• Authenticate devices 

• Route calls and SMS 

• Establish sessions 

• Apply charging and policy decisions 

In simple terms, signalling is the instruction set that tells the network what to do with user traffic. 

Critically, signalling protocols were never designed with today’s threat landscape in mind. They were built for a world where operators were few, networks were closed and trust between peers was assumed. 

That assumption no longer holds; but the protocols, interconnect models, and operational habits largely remain. 

SS7 is often described as a “legacy” problem, but that framing is misleading. 

Yes, SS7 was designed decades ago. Yes, its security model is fundamentally flawed. But SS7 is still active today in ways that matter. It is widely used for international roaming and SMS delivery continues to rely on it. Interworking with newer network generations is inevitable. 

The core issue with SS7 is not complexity but rather implicit trust.

Any entity with access to the signalling network can, in principle, ask another network questions about subscribers or request actions to be taken on their behalf. 

This has enabled real-world abuses for years: 

• Silent interception of SMS, including one‑time passwords 

• Passive and active location tracking 

• Subscriber state manipulation 

• Fraud scenarios that never touch the user’s device 

The uncomfortable truth is this:
A network can be well secured internally and still be exposed externally through interconnect and roaming paths. 

Walk into almost any operator’s security review today and you will hear the same reassurance: “We have an SS7 firewall.” This is progress and it matters, however firewalls alone do not solve signalling security. 

In practice, many networks still run on default or overly permissive rule sets. Alerts pile up without action, no one clearly owns the problem, and legacy configurations that should have been cleaned up years ago remain untouched. 

Meanwhile, attackers adapt. They learn which messages are allowed, which thresholds trigger alarms, and which paths remain less monitored. 

Signalling security is not a “deploy and forget” domain. It demands: 

• Continuous tuning 

• Deep traffic understanding 

• The willingness to block traffic even when it comes from a trusted partner 

That last part – blocking a trusted partner – is often the hardest decision to take. 

Diameter was introduced as the successor to SS7 for LTE networks, and on paper it addressed many shortcomings with IPbased transport, support for TLS and IPsec but also better structure and extensibility. 

Many operators treat Diameter security as optional. The protocol does not mandate enforcement, and the pressure of time-to-market and interoperability requirements makes it easy to deprioritize. But real deployments show it should not be optional, vulnerabilities include: 

• Weak or inconsistent peer authentication 

• Unencrypted signalling links for compatibility reasons 

• Message replay, manipulation, and resource exhaustion risks 

• Increased exposure due to IPX and hubbased roaming models 

The pattern is familiar: 

1. A protocol is designed with security mechanisms 

1. Those mechanisms are not uniformly enforced 

1. Trust fills the gap 

Different protocol. Same risk. 

At its core, signaling security is not just a technical problem. 

It is a trust problem. 

Mobile networks are globally interconnected systems built on commercial agreements. Everyone in the industry knows the tension: blocking signaling traffic is rarely just a security decision, it is a business decision that directly affects roaming revenue, customer experience, and partner relationships. Security teams may flag a risk, but commercial and operational teams weigh the cost of acting on it. This is not unique to any single operator; it is a structural reality of the industry. 

Responsibility is also fragmented. Security teams detect risks, core network teams operate signalling infrastructure, and roaming teams manage partner relationships. Each group optimises for its own priorities. When something goes wrong, ownership is often unclear, and the default response is to tolerate the risk rather than disrupt the revenue stream. 

The result is predictable: known risks persist. Even when mitigations exist, they are applied inconsistently. Security becomes reactive rather than preventive. 

Yes! There has been real progress. 

The industry now has clear threat models and mature signalling firewalls. Monitoring and analytics have gone a long way, additionally we often rely on shared best practice frameworks. 

Operators that treat signalling security as a living operational discipline, not a compliance checkbox, are demonstrably more resilient. 

What does not work is: 

• One‑time audits — recurrence is essential 

• Static rule sets — monitoring must be dynamic 

• Assuming signalling is “legacy noise” that will disappear — it won’t.  

5G fundamentally transforms the mobile core, introducing a Service‑Based Architecture (SBA) where network functions communicate via APIs using modern web technologies. This evolution brings stronger cryptography, explicit identity and authorization models, and far more flexible security design compared to previous generations. 

However, the shift to SBA also introduces new challenges. With broader API exposure, cloud‑native deployments, and distributed network components, the potential attack surface becomes significantly larger. Inter‑PLMN communication continues to rely on established trust boundaries, which means long‑standing interconnect assumptions still apply even within a modernized architecture. 

Perhaps most importantly:
Legacy signalling does not disappear overnight. 

SS7 and Diameter continue to exist alongside 5G, connected through interworking functions that can themselves become points of weakness. We must also recognise that, particularly in roaming scenarios, 5G Non‑Standalone (NSA) deployments still rely on Diameter for control‑plane signalling, extending legacy signalling exposure well into the 5G era. 

5G gives the industry the tools to finally apply Zero Trust principles to signalling. Whether those tools are consistently used, or quietly bypassed for convenience, remains an open question. 

Signalling security does not suffer from a lack of documentation or industry standards. Over the years, a wide range of technical controls and mitigations have been developed to tackle legacy protocols’ limitations. Many risks can be reduced, without fundamentally changing how these protocols were designed to operate. 

What makes signalling security persistently difficult lies elsewhere. It is shaped by factors that are far harder to address than protocol mechanics: 

• Inherited trust, carried forward from a time when inter‑operator connectivity assumed trusted peers 

• Operational compromise, where commercial, interoperability, or availability considerations dilute security intent 

• Reluctance to enforce hard boundaries in a global ecosystem that still depends on cooperation and mutual access 

The industry no longer needs to prove that signalling can be attacked, that point was established years ago. The real challenge is operating with the assumption that signalling abuse is not a possibility but an inevitability, and building the controls, processes, and trust models that reflect this reality.

As networks transition into the 5G era, the industry has a genuine opportunity: not just to modernise technology, but to modernise the way trust, security, and interconnect relationships are managed. 

Real progress will come when signalling security is treated not as a legacy obligation, but as a strategic priority one that protects revenues, preserves customer trust, and strengthens the resilience of global connectivity.