The updateLocation message is used to update the subscriber’s location in the network. It informs the network of which VLR/MSC the subscriber is currently connected to. Using a fake updateLocation message the attacker claims that the victims MS is connected to their MSC. In this case, the subscriber SMSs will be forwarded to the attacker’s SMS center to be delivered to the MS.
In addition to intercepting personal SMSs of the target, this attack can be used against authentication systems that utilize SMS verification (SMS token, Facebook verification, etc.) and could lead to the compromise of the target’s identity.
Second Generation (2G) networks did not offer the concept of mutual authentication, where the network authenticates itself to the subscriber. This made the subscriber vulnerable to an attack known as the 2G IMSI catcher. In this attack, the attacker using a rogue radio cell could announce the same network as a legitimate network with higher power than the normal network.
The target would then connect unknowingly to the rogue cell instead of the legitimate network. The attacker intercepts the call, and then forwards it to its destination. In 3G networks, such attack was not possible, since the network has to authenticate back to the subscriber before a call is established. However with access to SS7, the attacker can send another MAP message called sendAuthenticationInfo to the HLR to get the info needed to successfully impersonate the legitimate network.