Surveillance Vendors Exploiting Telecom Infrastructure to Track Targets’ Locations

What happened

Citizen Lab, the digital surveillance research institute at the University of Toronto, has published a report documenting two campaigns in which surveillance vendors exploited weaknesses in global telecommunications infrastructure to secretly track targets’ physical locations.

The first campaign sent text messages containing hidden SMS commands to targets’ devices, effectively turning them into covert tracking beacons without the user’s knowledge. The second exploited weaknesses in Signaling System 7, the protocol set used primarily in 3G networks that has long been vulnerable to abuse because it does not verify the source of signaling messages and uses no encryption. Citizen Lab also found that the vendors were able to attack Diameter protocols, used in 4G and 5G networks, in cases where operators have not implemented the security protections Diameter was designed to include.

Both campaigns gained access to location data by routing traffic through the same three telecom networks, which the report describes as functioning as gateways that allow traffic to move through trusted signaling interconnections while granting threat actors access behind their infrastructure. Routing analysis by the researchers suggests an Israeli company may be behind the surveillance, with traffic patterns pointing back to Israel despite technical measures designed to obfuscate the source.

Gary Miller, one of the report’s authors, described the scale of the problem as substantially larger than isolated incidents. He said more than 90% of unauthorized traffic in the mobile signaling environment is generated by third parties and that the volume represents a systemic, unaddressed issue in global telecom infrastructure.

Who is affected

The campaigns targeted specific individuals whose locations were being tracked, suggesting targeted surveillance rather than mass collection. However, Miller’s characterization of the traffic volumes indicates that the underlying infrastructure abuse is widespread, affecting mobile users across multiple networks globally. Any individual or organization whose members may be targeted by commercial surveillance vendors, including journalists, lawyers, executives, dissidents, and government officials, faces potential exposure through these methods.

Why CISOs should care

SS7 vulnerabilities have been known for over a decade and remain unpatched across significant portions of global telecom infrastructure. The fact that surveillance vendors are actively commercializing these weaknesses at scale, routing attacks through trusted telecom interconnections to obscure the source, means that location tracking through telecom exploitation is not a theoretical risk reserved for nation-state adversaries. It is an available commercial service.

For security leaders responsible for protecting high-value individuals, including executives, legal teams, and security personnel, this report is a concrete reminder that mobile device location can be compromised without any interaction from the target and without touching the device itself.

3 practical actions

1. Brief high-risk individuals on mobile location exposure via telecom-level attacks: Executives, legal counsel, investigators, and other high-value targets should understand that location privacy cannot be guaranteed through device-level controls alone when the underlying telecom infrastructure is being exploited at the signaling layer.
2. Engage your mobile carrier about SS7 and Diameter security controls: Ask your enterprise carrier what monitoring and filtering controls are in place for anomalous SS7 and Diameter signaling traffic, and whether they participate in industry-level threat intelligence sharing on telecom exploitation. Many carriers have implemented some protections but deployment is inconsistent.
3. Consider dedicated threat intelligence monitoring for commercial surveillance vendor activity: Organizations that may be targeted by commercial surveillance vendors should include telecom-layer exploitation in their threat model and evaluate whether their current intelligence sources cover this category of attack, which sits outside the scope of most enterprise security tooling.

Also in the news today:

• China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks
• American Utility Firm Itron Discloses Breach of Internal IT Network
• Nessus Agent Vulnerability on Windows Enables Arbitrary Code Execution with SYSTEM Privileges
• Litecoin Zero-Day Vulnerability Exploited in DoS Attack, Disrupts Major Mining Pools
• CISA Warns of Multiple SimpleHelp Vulnerabilities Exploited in Attacks
• 153,000 Electricity and Gas Contracts Exposed in Breach Linked to Iberdrola Partner
• Russian-Linked Campaign Compromises Signal Accounts of Senior German Officials