Tag: emergency call location tracking

  • How UK Mobile Networks Handle Emergency Location Data: The SS7 Infrastructure Behind 999 Call Tracing

    How UK Mobile Networks Handle Emergency Location Data: The SS7 Infrastructure Behind 999 Call Tracing

    When you dial 999 from a mobile, there is a quiet war happening in the background. Your handset, the mast it is connected to, and a chain of ageing signalling protocols all scramble to answer one critical question: where exactly are you? The answer involves a stack of technology that ranges from genuinely modern to embarrassingly legacy, and the gaps between those layers are where both life-saving accuracy and some genuinely nasty attack vectors live. SS7 vulnerabilities in the UK mobile network are not theoretical. They are real, documented, and still largely unresolved, even as regulators push for better standards on 999 call location.

    Anonymous hacker in server room examining SS7 vulnerabilities in UK mobile network infrastructure
    Anonymous hacker in server room examining SS7 vulnerabilities in UK mobile network infrastructure

    What is SS7 and Why Does a 999 Call Touch It?

    Signalling System No. 7, almost always shortened to SS7, is the set of telephony protocols that mobile and fixed-line networks use to exchange control information. Think of it as the nervous system underneath a call, not the voice data itself but the signalling layer that handles routing, authentication, billing handshakes, and crucially, location data. It was designed in 1975 and standardised broadly through the 1980s. Its architecture assumed that only trusted carriers would ever connect to it. Spoiler: that assumption has aged terribly.

    When you make a 999 call in the UK, the network needs to route that call to the correct emergency call centre, which in practice means a BT-operated platform called the Emergency Call Handling Agent (ECHA). The ECHA then passes location information to the relevant emergency service control room. Getting accurate coordinates into that pipeline fast enough to matter requires pulling location data from multiple sources, and SS7 is one of the pipes that data flows through.

    The Three Layers of Location Data in a UK 999 Call

    Cell-ID: The Old Faithful That Can Get You Killed

    Cell-ID is the baseline. Every mast in the UK has a unique Cell Global Identity (CGI). When your phone registers with a mast, the network knows which cell you are in. In dense urban areas like central London or Manchester city centre, a cell might cover a few hundred metres. Out in rural Yorkshire, a single cell can stretch for several kilometres. That variance matters enormously when someone is unconscious in a field and the ambulance is being dispatched based on a 2km radius guess.

    Cell-ID data travels over SS7. The Home Location Register (HLR) and Visitor Location Register (VLR), classic SS7 database nodes, hold records of which cell a subscriber is currently in. A legitimate query to an HLR using an SS7 MAP (Mobile Application Part) message can return this Cell-ID. That same query can be issued by an attacker who has gained access to the SS7 network, which is exactly the problem.

    Advanced Mobile Location: The Standard That Actually Works

    Advanced Mobile Location, or AML, is the thing that genuinely changed the game. When a 999 call is initiated on a compatible handset, the phone automatically launches a brief background data session and sends a HTTPS request containing its best available position fix, which could be GPS, Wi-Fi positioning, or cell triangulation, directly to a secure national server. That data is then matched to the call and passed to the ECHA. No SS7 involvement in the location push itself. Clean, fast, and dramatically more accurate.

    Ofcom mandated AML support for UK mobile operators, and it has been rolling out since 2018. Research from the Emergency Location Task Force showed AML-capable devices achieving median location accuracies under 10 metres in tests, compared to hundreds of metres for Cell-ID alone. Android implemented AML natively; Apple’s equivalent, called Hybridised Emergency Location (HELO), integrates similarly. But here is the catch: AML only fires if the device supports it and has a data connection. No signal, no data, no AML. You fall back to Cell-ID. You fall back to SS7.

    Network-Derived Location via SS7 Queries

    When AML is not available, networks can attempt network-derived location using SS7-based procedures, pulling location from the network side rather than the handset. This involves MAP queries against the serving node, potentially triggering silent location requests. It is slower, less accurate, and it exposes exactly the same interface that attackers have been abusing for over a decade.

    Close-up of mobile signalling hardware representing SS7 vulnerabilities in UK mobile network 999 systems
    Close-up of mobile signalling hardware representing SS7 vulnerabilities in UK mobile network 999 systems

    The SS7 Attack Surface: What Legitimate Looks Like vs What an Attack Looks Like

    A legitimate location lookup over SS7 for emergency purposes looks like this: a trusted operator node sends a MAP-ATI (Any Time Interrogation) or MAP-PSL (Provide Subscriber Location) message to the target subscriber’s serving network. The serving network returns location data. The whole exchange happens between carrier-grade nodes with established inter-operator agreements.

    An attack looks almost identical. That is the problem. SS7 has no native cryptographic authentication between nodes. If an attacker has obtained access to an SS7 gateway, through a rogue operator connection (there are hundreds of legitimate interconnects globally), a compromised roaming hub, or a nation-state level intrusion, they can send the exact same MAP messages. The receiving network cannot reliably distinguish a query from BT’s legitimate infrastructure and a query from a compromised node in, say, a lightly regulated jurisdiction.

    Known attack types that are directly relevant here include:

    • MAP-ATI abuse: Silent location queries that return Cell-ID without the subscriber ever knowing. Used extensively in targeted surveillance operations documented by researchers at Positive Technologies and SRLabs.
    • IMSI harvesting via Paging: Forcing a phone to reveal its IMSI by sending forged paging messages, then correlating that IMSI with billing data.
    • SS7 intercept: Redirecting SMS messages by updating location registers, effectively breaking SMS-based two-factor authentication. UK banks and HMRC both still use SMS OTP for some authentication flows.
    • Call forwarding manipulation: Registering a supplementary service via SS7 to silently forward calls, including potentially 999 calls in extreme edge cases.

    The GSMA has published security guidelines (FS.11) specifically addressing SS7 vulnerabilities. UK mobile operators are expected to implement SS7 firewalls and anomaly detection. EE, Vodafone, O2, and Three have all made public commitments to SS7 hardening. But independent security researchers have consistently found that filtering is incomplete and that certain query types still pass through commercial networks globally.

    What Ofcom Has (and Has Not) Done About This

    Ofcom has pushed hard on the AML standard, which is the right call. Reducing reliance on SS7 for 999 location is genuinely the correct long-term direction. The General Conditions of Entitlement require UK operators to transmit caller location to the emergency services, and AML compliance is baked into that framework now.

    Where it gets murkier is the broader SS7 security mandate. Ofcom’s general network security obligations under the Communications Act 2003 and the Network and Information Systems (NIS) Regulations 2018 apply, but there is no specific published SS7 security audit regime with public reporting. Compare that to the approach taken by the US FCC, which has at least publicly demanded SS7 remediation reports from carriers, and the UK’s posture looks somewhat quieter than the scale of the problem warrants.

    The Gaps That Still Exist in 2026

    SS7 is not going away fast. VoLTE (Voice over LTE) and 5G use different signalling stacks, specifically Diameter for 4G and HTTP/2-based service-based architecture for 5G core. Both are improvements. Both also have their own vulnerability classes. But the global SS7 network still exists as an interconnect layer, particularly for roaming, and that interconnect layer is accessible. The migration to newer stacks is a decade-long project, not a flip of a switch.

    For 999 specifically, the risk is not that an attacker hijacks your emergency call in real time. That is technically complex and a weird threat model. The more realistic concern is the broader SS7 attack surface being used for surveillance, two-factor authentication bypass, and location tracking of individuals, all of which undermine the integrity of UK mobile communications more generally. Emergency location accuracy has genuinely improved with AML. But the underlying SS7 vulnerabilities in the UK mobile network remain a live issue for anyone who cares about mobile security beyond just calling 999.

    The honest summary: AML is good and getting better. Cell-ID fallback is a known weak point. SS7 is a creaking legacy protocol with documented, exploitable vulnerabilities that no single operator can fix unilaterally because the problem is global. Ofcom has done the right things on the emergency location side. The broader SS7 remediation piece remains a work in progress, and the security community knows it.

    Frequently Asked Questions

    What are SS7 vulnerabilities and do they affect UK mobile networks?

    SS7 vulnerabilities are security flaws in the Signalling System No. 7 protocol, a legacy telephony signalling stack used by mobile and fixed-line networks globally. Yes, they absolutely affect UK mobile networks because UK operators interconnect with the global SS7 network for roaming and inter-carrier signalling, creating exposure to attacks that can originate from compromised nodes anywhere in the world.

    How does Advanced Mobile Location (AML) improve 999 call accuracy?

    When you dial 999 on a compatible smartphone, the handset automatically sends a background HTTPS data packet containing its best GPS or Wi-Fi position fix directly to a secure national server, which then passes the data to the emergency call centre. This bypasses the less accurate Cell-ID method and typically achieves location accuracy within 10 metres in good conditions, compared to potentially hundreds of metres with network-derived Cell-ID alone.

    Can someone use SS7 to track a person's location in the UK without their knowledge?

    In theory, yes, and it has been demonstrated repeatedly by security researchers. An attacker with access to an SS7 gateway can send MAP-ATI (Any Time Interrogation) messages to a UK network to retrieve the Cell-ID of a target subscriber’s current location without any notification to the subscriber. UK operators are required to implement SS7 firewalls, but filtering is not universally complete across all query types and interconnect routes.

    Does 5G fix the SS7 security problem?

    5G’s core network uses a completely different signalling architecture based on HTTP/2 and a service-based model, which eliminates native SS7 exposure in the 5G core. However, 5G networks still maintain SS7 interconnects for backwards compatibility with older networks and global roaming, meaning the SS7 attack surface does not disappear immediately. Full migration away from SS7 will take many years.

    What does Ofcom require UK operators to do about emergency call location?

    Under the General Conditions of Entitlement, UK mobile operators are required to transmit caller location information to the emergency services for 999 calls. Ofcom has mandated support for Advanced Mobile Location (AML) as part of this requirement. Broader SS7 security is covered under the Communications Act 2003 and NIS Regulations 2018, though there is no specific published public audit regime for SS7 security compliance.