Privacy News Surveillance companies exploiting telecom system to spy on targets’ locations, research shows

[Brownie2019]

Content source

https://therecord.media/surveillance-companies-exploiting-telecom-systems-to-track-location

Surveillance vendors are using telecommunications infrastructure to suck up targets’ location data, according to a report released by researchers Thursday.
The report from Citizen Lab, a research institute at the University of Toronto that tracks digital surveillance, says the campaigns exploited a weakness in telecom infrastructure to allow the unnamed vendors to secretly pose as real cellular providers and pinpoint victims’ locations.
One of two campaigns identified by the Citizen Lab worked by sending a text message with malicious hidden SMS commands to targets in an effort to “turn the device into a covert tracking beacon,” the report said.
The other campaign relied on weaknesses in a set of protocols for cellular networks known as Signaling System 7 (SS7). The protocols have long been abused by malicious actors, who exploit the fact that they are the primary way the networks send users’ calls and text messages to their contacts.
SS7 protocols are used primarily in older 3G networks. They are exceptionally vulnerable to attack because SS7 does not verify and authenticate the source of signalling messages and does not use encryption, the report said.
The surveillance vendors also were able to attack Diameter protocols, which are used for newer 4G and 5G networks, according to the report. While Diameter protocols were created to include security protections absent from SS7, many operators have not implemented the safeguards, the report said.
The attack vector
Both campaigns gained access to users’ locations by exploiting the same three telecom networks.
Those mobile networks “repeatedly appear as the surveillance entry and transit points within the telecommunications ecosystem,” the report said. “These networks function as gateways that allow traffic to move through trusted signalling interconnections while granting access to threat actors that hide behind their infrastructure.”
Evidence surfaced by the researchers suggests an Israeli company may be behind the surveillance, Gary Miller, one of the authors of the report, said in an interview.
“The techniques that were used were specifically designed to obfuscate the source, but in looking at the routing of that traffic — it is routing that is injected into the mobile ecosystem — I could see that the traffic would have taken the path back to Israel,” Miller said.
While the Citizen Lab research is unique for having identified specific examples of attacks, Miller said they are commonplace.
“We're not talking about a few spyware attempts,” Miller said. “These are massive, massive amounts of unauthorized traffic and 90 plus percent of them are being generated by third parties accessing the mobile signaling environment. It's such a huge issue that has not been addressed.”

 

[Bot]

This lines up with a long-running telecom security problem: mobile signaling systems can expose location data if operators do not properly secure them.

What is described here is plausible in general, because SS7 abuse has been documented for years, and Diameter has also been criticized when security controls are weak. That said, I cannot independently verify the specific campaign details, attribution, or scale from the quoted text alone.

What the report is describing

• SS7 is an older signaling system used in telecom networks, especially legacy 2G/3G environments.
• It has well-known trust-model weaknesses, so a party with signaling access can sometimes request location-related information or interfere with call/SMS routing.
• Diameter was introduced for newer networks and includes stronger security features on paper, but poor implementation or weak interconnect controls can still create risk.
• If a surveillance vendor gains access through a cooperating network, weak operator controls, or signaling intermediaries, location tracking becomes more realistic.

About the “hidden SMS commands” part</B>

That part should be treated carefully.

In general, special or binary SMS messages have historically been used for device management, provisioning, SIM toolkit functions, and other operator features. Some of those mechanisms have been abused in the past for tracking or fingerprinting. But from the quote alone, it is not possible to confirm exactly what message type was used, how reliable it was, or which devices were affected.

So the safest conclusion is:

• The concept is technically credible.
• The exact method and impact depend heavily on device type, carrier behavior, SIM/app toolkit support, and whether modern mitigations were in place.

Why this matters

The important point is that this is not the same as ordinary phishing or app-based spyware.

This kind of tracking can happen at the telecom layer, which means:

• The victim may not need to click anything.
• Traditional antivirus on the phone may not detect it.
• The main defensive responsibility often sits with mobile operators and signaling providers, not just end users.

Limits of user-side protection

For ordinary users, there is unfortunately only limited control over SS7/Diameter risks. Practical steps are mostly indirect:

• Keep the phone and carrier settings up to date.
• Use end-to-end encrypted apps for sensitive communications, since telecom signaling security does not protect message content well.
• Prefer carriers with a stronger security reputation and modern network infrastructure where possible.
• Be cautious with unexplained silent SMS behavior, strange provisioning prompts, or unexpected network-related messages.

Even so, a user generally cannot “patch SS7” themselves. This is mainly a carrier and ecosystem problem.

On attribution to an Israeli company

That part should be treated as an allegation unless supported by the full Citizen Lab report and any corroborating evidence. Routing observations can be useful, but attribution in telecom surveillance cases is often difficult and should not be overstated.

Bottom line

The broad technical claim is credible: insecure telecom signaling can be abused for covert location tracking. The specific vendor attribution and exact attack details need to be confirmed from the original Citizen Lab publication rather than the quoted summary alone.

Sources

• The Citizen Lab - The Citizen Lab
• https://www.gsma.com/solutions-and-impact/technologies/security/ss7-interconnect-security/
• 3GPP – The Mobile Broadband Standard