I may be late to this topic.

But I’m learning right now that it exists, and it surprised me — perhaps out of naivety. I suspect there are management SMS messages a bit like ICMP Echo requests.

What Is a Type 0 SMS?

An ordinary SMS arrives on your phone. You hear a sound. A message displays. You read, you reply.

A Type 0 SMS arrives on your phone. You hear nothing. Nothing displays. Yet your phone did receive the message, and it automatically responded.

Without notifying you. Without asking permission.

It’s not a virus. It’s not a bug.

It’s a standard cellular network feature, defined in technical specification 3GPP TS 23.040, inherited from the GSM era. The specification says literally that the phone “must acknowledge receipt, but may discard contents.”

Must acknowledge receipt. May discard contents.

Your phone responds. You know nothing.

What Happens Concretely

When someone sends a Type 0 to your number:

  1. The message transits via a signalling protocol dating from the 1980s — SS7
  2. Your phone receives it at the modem level, below the operating system
  3. It automatically sends an acknowledgement to the network
  4. The operator records the event with the identifier of the cell tower that served you (Cell ID)

That last point is what struck me most.

In dense urban areas, a tower covers a sector of a few dozen to a few hundred metres. By correlating several Type 0 pings with a public database like OpenCellID, movement can be reconstructed with precision that can drop below 100 metres.

No GPS. No explicit location request. Just standard network signalling.

Who Sends Type 0 Messages?

There are three categories.

The operators themselves, first. Verifying that a SIM is active, managing IoT devices in the background, testing network coverage: these are legitimate uses invisible to the subscriber.

Law enforcement, next. In Germany, parliamentary questions revealed that authorities send hundreds of thousands of Type 0 SMS messages per year as part of lawful surveillance. Court order, periodic pings to the target number, Cell ID collection, trajectory reconstruction. It’s the remote version of an IMSI-catcher.

Malicious actors, finally. Validating active numbers before a targeted attack, tracking movement, attempting to force a device toward weaker protocols: all documented. The barrier to entry is real — it’s not within reach of an isolated individual. But for a state or well-organized group with signalling network access: it’s trivial.

It’s Not a Bug — It’s the Design

I insist on this because it’s what surprised me most.

We’re not exploiting a vulnerability. We’re not installing spyware. We’re simply using a feature provided in the technical specifications of the protocol, deployed on every cellular network in the world, unchanged for 30 years.

The network was designed in an era when SS7 was a closed club between operators who implicitly trusted each other. There was no strong authentication because nobody saw the need.

Today, that access is no longer strictly reserved to historical operators. And the implicit trust model has become a structural problem.

We’ve added filters, SS7 firewalls, detection mechanisms. But it’s not a redesign. It’s patching on a 40-year architecture.

And 5G? As long as we remain in NSA mode (Non-Standalone Architecture, which still relies on a 4G network core), SS7 risks don’t disappear.

Signal, WhatsApp, VPN: Does Any of That Change This?

Nothing on this specific point.

Signal and WhatsApp encrypt your communications over the internet. The Type 0 SMS, meanwhile, operates at the operator signalling level — a completely separate layer that these applications don’t touch. A VPN doesn’t either.

You can use Signal permanently and still receive Type 0 messages without knowing it. The two levels are completely separate: one doesn’t protect against the other.

What This Means for You

I’m not writing this article to scare you. I’m writing it because I find it important for executives to understand what their phone does without their knowledge.

A few concrete reflections:

For sensitive contexts (negotiation, merger and acquisition, travel in certain countries), the presence of an active cell phone is a location data source — independent of your other digital practices.

For your security vendors, it’s a good question to ask: “What does your program cover in terms of network signalling?” The answer will often be “nothing,” and that’s fine — but at least you know.

The only real mitigation, if you need it, is absence of device or full airplane mode. That’s radical, but it’s the only user-side protection.

In Short

I may be late to this topic. Telecom researchers have known for years.

Yet in conversations I have with executives and SMB security teams, it’s almost never mentioned.

It’s not an exploit. It’s not new. It’s a 30-year-old feature that works perfectly, and its implications for privacy and operational security are real.

The cellular network knows where you are. Not because someone hacked your phone. Because your phone does exactly what it was designed to do.

Questions or nuances to add? I read the comments.

Further Reading

The source technical specification

  • 3GPP TS 23.040 — The original specification defining SMS, including Type 0. That’s where the phrase “must acknowledge receipt, may discard contents” appears.

Recent research — exploitation in real conditions

Technical overview — state of risks in 2025

On police transparency — what we no longer know

The cell tower geolocation database

  • OpenCellID — The largest open database of cell towers. Concretely illustrates why a Cell ID can become a geographic position.