Digital rights organization Citizen Lab revealed Thursday two separate spying operations exploiting long-standing weaknesses in global telecommunications infrastructure to track individuals' locations. These campaigns utilized vulnerabilities in both older 2G/3G networks and newer 4G/5G systems, according to the group's findings. The report, published by the cybersecurity watchdog, suggests these incidents represent a fraction of a larger, global exploitation trend by surveillance vendors. These are not isolated incidents.
The newly identified campaigns, detailed in a comprehensive report from Citizen Lab, highlight a persistent and concerning exploitation of the very systems designed to connect people across continents. Researchers found that surveillance vendors, operating as what they termed “ghost” companies, masqueraded as legitimate cellular providers. They leveraged this deceptive access to global phone networks to illicitly obtain location data on their targets.
This tactic effectively allowed them to hide their true intentions behind the infrastructure of unsuspecting carriers. The sophistication of these operations points to significant resources and technical expertise. They were not amateur efforts.
These findings bring into sharp relief the continued insecurity of Signaling System 7, or SS7, a foundational set of protocols that has for years routed calls and text messages across 2G and 3G networks. Experts have warned for over a decade that SS7 lacks crucial authentication and encryption features, making it susceptible to abuse. Rogue operators can exploit these flaws to pinpoint the geographical location of cell phones.
The system was never designed for modern security threats. Its age shows. More recent communications, utilizing 4G and 5G networks, rely on a protocol called Diameter, which was meant to replace SS7 and include enhanced security measures.
However, Citizen Lab's investigation points out that even Diameter remains vulnerable. Cell providers do not always implement the new protections fully. Attackers can sometimes revert to exploiting the older SS7 protocol if Diameter's defenses are insufficient.
This creates a dangerous fallback mechanism for those seeking to exploit the networks. It undermines the very purpose of the upgrade. Both surveillance campaigns, while distinct in their methods, shared a common thread: they abused access to three specific telecom providers.
These carriers repeatedly served as “surveillance entry and transit points within the telecommunications ecosystem,” according to the researchers. This access allowed the surveillance vendors and their government clients to operate with a degree of anonymity. They could hide behind established networks.
One of these providers is Israeli operator 019Mobile, which researchers linked to multiple surveillance attempts. British provider Tango Networks U.K. also facilitated surveillance activity over several years. The third provider named in the report is Airtel Jersey, an operator on the Channel Island of Jersey.
Airtel Jersey is now owned by Sure, a company whose networks have been previously associated with surveillance campaigns. This history raises questions. Alistair Beak, CEO of Sure, addressed the allegations directly in a statement to TechCrunch.
He stated that Sure “does not lease access to signalling directly or knowingly to organisations for the purposes of locating or tracking individuals, or for intercepting communications content.” Beak added that Sure acknowledges the potential for misuse of digital services and has implemented “several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling.” He also confirmed that any evidence of misuse leads to immediate suspension and, if confirmed, permanent termination of service. His words offer a glimpse into the industry’s defensive posture. Neither 019Mobile nor Tango Networks responded to requests for comment regarding their alleged roles in these surveillance activities.
Their silence leaves many questions unanswered. This lack of transparency only exacerbates public concerns about network security. The first surveillance vendor identified by Citizen Lab orchestrated spying campaigns spanning multiple years.
These operations targeted individuals across the globe, leveraging the infrastructure of several different cellphone providers. This extensive reach led researchers to conclude that various government customers were likely behind these diverse campaigns. Gary Miller, one of the researchers involved in the investigation, told TechCrunch that some evidence points to an “Israeli-based commercial geo-intelligence provider with specialized telecom capabilities.” Miller did not name the specific surveillance provider.
Several Israeli firms, such as Circles (acquired by NSO Group), Cognyte, and Rayzone, are known to offer similar services. The market for such capabilities is robust. This first campaign showcased a sophisticated adaptive strategy.
It initially attempted to exploit flaws in SS7. If those attempts proved unsuccessful, it then switched to exploiting Diameter. This dual-pronged approach highlights the vendor's determination to achieve its tracking objectives.
It reveals a deep understanding of network intricacies. The second spy campaign employed a different, equally insidious method. This surveillance vendor, also unnamed by Citizen Lab, relied on sending a specific type of SMS message to a single “high-profile” target.
These are not ordinary text messages. They communicate directly with the target’s SIM card without leaving any visible trace on the user's phone. Normally, cellular providers use these silent messages for innocuous commands, like keeping a device connected to the network.
However, in this case, the surveillance vendor sent commands that effectively transformed the target’s phone into a covert location tracking device. This type of attack, which bypasses user awareness, was previously dubbed SIMjacker by mobile cybersecurity company Enea in 2019. It is a frightening prospect.
Gary Miller emphasized the prevalence of such attacks. “I’ve observed thousands of these attacks through the years, so I would say it’s a fairly common exploit that’s difficult to detect,” Miller stated. He further noted that these attacks appear to be geographically-targeted. This suggests that the actors employing SIMjacker-style attacks likely possess knowledge of which countries and networks are most susceptible.
Their intelligence is precise. Miller also stressed that these two campaigns represent only a fraction of the problem. “We only focused on two surveillance campaigns in a universe of millions of attacks across the globe,” he told TechCrunch. The scale is immense.
What this actually means for your family is a loss of a fundamental expectation of privacy. When your phone, which you carry everywhere, can be turned into a tracking device without your knowledge, the line between personal space and state surveillance blurs. For a working family, this means that simple actions — driving to work, picking up children from school, or visiting a relative across the border — could be monitored.
The policy says one thing about secure communications. The reality says another, demonstrating that even with newer protocols, implementation gaps leave doors open for exploitation. This is not just a technical flaw.
It is a breach of trust. Behind the technical language lies a complex web of commercial interests and national security objectives. Surveillance vendors profit from these vulnerabilities, selling capabilities to governments eager to track individuals.
The cross-border nature of these telecom networks means a flaw in one country's infrastructure can have repercussions for people far away. This global interconnectedness makes securing these systems a shared responsibility. But who truly shoulders that burden?
It is a question without an easy answer. Why It Matters: These revelations underscore the urgent need for global telecommunication providers and regulators to address known security vulnerabilities more aggressively. The continued exploitation of SS7 and the incomplete security implementations of Diameter pose a direct threat to individual privacy and security worldwide.
These issues affect not just high-profile targets but potentially anyone whose data transits through these compromised networks, eroding confidence in digital communications. This is a crucial element of modern life. Key Takeaways: - Citizen Lab identified two surveillance campaigns exploiting global telecom weaknesses for location tracking. - Vulnerabilities in both older SS7 and newer Diameter protocols facilitate these covert operations. - Three telecom providers—019Mobile, Tango Networks U.K., and Airtel Jersey/Sure—were used as entry points. - One campaign used hidden SMS messages to turn phones into tracking devices without user knowledge. - These incidents are likely a small portion of a much larger, global surveillance problem, researchers say.
Moving forward, the focus must shift to stricter enforcement of security standards and increased accountability for telecom operators. Regulators worldwide will need to pressure providers to fully implement existing security measures for Diameter and actively phase out reliance on outdated, insecure protocols like SS7. Consumers, too, should watch for any new tools or advice from cybersecurity experts on how to protect their location data.
The fight for digital privacy continues. This will require sustained effort from all parties involved.
Key Takeaways
— - Citizen Lab identified two surveillance campaigns exploiting global telecom weaknesses for location tracking.
— - Vulnerabilities in both older SS7 and newer Diameter protocols facilitate these covert operations.
— - Three telecom providers—019Mobile, Tango Networks U.K., and Airtel Jersey/Sure—were used as entry points.
— - One campaign used hidden SMS messages to turn phones into tracking devices without user knowledge.
— - These incidents are likely a small portion of a much larger, global surveillance problem, researchers say.
Source: TechCrunch
