Security researchers have exposed two sophisticated surveillance campaigns that exploit critical vulnerabilities in global telecommunications infrastructure to track individual phone locations. A new report from the Citizen Lab reveals that “ghost” surveillance vendors are masquerading as legitimate cellular providers to gain unauthorized access to subscriber location data.
The Anatomy of the Surveillance Exploits
The campaigns leverage long-standing security gaps in the protocols that allow mobile networks to communicate globally. The primary targets for these exploits are the Signaling System 7 (SS7) and Diameter protocols.
- SS7 Vulnerabilities: Used primarily by 2G and 3G networks, this protocol lacks encryption and authentication, allowing rogue operators to intercept calls and geolocate devices.
- Diameter Exploits: Designed for 4G and 5G, this successor protocol was intended to close security gaps. However, researchers found that poor implementation by providers allows attackers to bypass protections or force a fallback to the insecure SS7 protocol.
Telecom Providers Under Scrutiny
The investigation identified three specific telecom providers that served as entry and transit points for these surveillance operations: 019Mobile (Israel), Tango Networks U.K., and Airtel Jersey. The latter, now owned by Sure, has been linked to previous surveillance controversies.
Alistair Beak, CEO of Sure, stated that the company does not knowingly lease access for tracking purposes and employs monitoring tools to block inappropriate signaling. Conversely, 019Mobile’s head of IT, Gil Nagar, disputed the findings, claiming the company could not confirm the infrastructure identified by Citizen Lab belongs to them. Tango Networks did not provide a comment.
SIMjacker and Targeted Attacks
Beyond network protocol abuse, one of the campaigns utilized “SIMjacker” tactics. By sending stealthy SMS commands to a target’s SIM card—commands usually reserved for network maintenance—the attackers surreptitiously transformed the victim’s mobile device into a real-time tracking beacon.
Researcher Gary Miller, who participated in the investigation, noted that these attacks are highly professional and well-funded. “I’ve observed thousands of these attacks through the years; it’s a fairly common exploit that’s difficult to detect,” Miller stated, emphasizing that these two campaigns represent only a fraction of a much larger, global ecosystem of surveillance exploitation.
A Pervasive Industry Threat
While the specific names of the surveillance vendors remain undisclosed, industry experts suggest they are likely commercial geo-intelligence firms. The ability to hide behind the infrastructure of legitimate telecom providers grants these actors a significant advantage, allowing government customers to conduct surveillance with minimal risk of exposure.
The findings serve as a stark reminder that despite technological upgrades to 5G, the core architecture of mobile communications remains deeply susceptible to abuse, leaving high-profile individuals and ordinary users alike vulnerable to unauthorized geolocation.