USSD Traffic analysis

Harald Welte laforge at
Tue Feb 7 15:14:04 UTC 2012

Hi Ty,

On Tue, Feb 07, 2012 at 03:18:46PM +0300, ty wrote:

> I work for one of the leading mcommerce providers in the country as a
> security analyst and from the architectures, yes all the transactions take
> place via secure channels. However, my concern has always been after the
> transaction leaves the application and is handed over to the USSD gateway
> for the MNO, is it possible at an SS7 layer to intercept the said traffic?

There is nothing specific to USSD here.  It's a MAP transaction,
encapsulated in TCAP+SCCP+MTP3 or any of the SIGTRAN variants.  So the
question is basically a general question on SS7/SCCP security, and thus
off-topic on this list, which is about OsmocomBB baseband development
and not core network technology.

> I haven't seen any research into how USSD can be intercepted OTA just like
> GSM voice calls have been intercepted.

USSD is transported on a signallign channel like SMS or call control.
Thre is no difference in terms of intercepting or MITM from voice/SMS.


- Harald Welte <laforge at> 
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)

More information about the baseband-devel mailing list