Phone Location Tracking: Surveillance Firms Abused Telco Access, Study Finds

A recent investigation has revealed disturbing practices within the global telecommunications infrastructure, exposing how surveillance firms are exploiting vulnerabilities to track individuals’ locations. Security researchers have uncovered two distinct spying campaigns leveraging weaknesses in both legacy and modern cellular networks. This isn't an isolated incident; experts believe these campaigns represent a fraction of a much wider, ongoing exploitation of telecom access by surveillance vendors seeking to monitor global phone activity. The findings raise serious concerns about privacy and security in an increasingly connected world, demanding immediate attention from both industry stakeholders and policymakers.

Citizen Lab Report Details Widespread Abuse

On Thursday, Citizen Lab, a renowned digital rights organization with over a decade of experience in uncovering surveillance abuses, published a comprehensive report detailing these two newly identified campaigns. The surveillance vendors operating behind these campaigns functioned as “ghost” companies, masquerading as legitimate cellular providers to gain access to networks and subsequently track the location data of targeted individuals. This deceptive tactic highlights the sophisticated methods employed by these actors and the challenges in identifying and mitigating such threats.

The Vulnerabilities: SS7 and Diameter

The core of these surveillance operations relies on exploiting known flaws in the technologies that underpin global phone networks. One key vulnerability lies within Signaling System 7 (SS7), a set of protocols used in 2G and 3G networks. For years, SS7 has served as the backbone for connecting cellular networks and routing calls and texts worldwide. However, researchers have long warned that its lack of authentication and encryption makes it susceptible to exploitation by governments and surveillance tech manufacturers, allowing them to geolocate individuals’ cell phones.

While Diameter, a newer protocol designed for 4G and 5G communications, was intended to replace SS7 and address its security shortcomings, the Citizen Lab report reveals that it’s not a foolproof solution. Cell providers often fail to fully implement the new security features, leaving loopholes that attackers can exploit. In some instances, attackers can even revert to exploiting the older, more vulnerable SS7 protocol.

Key Telecom Providers as Entry Points

Both spy campaigns shared a common thread: they abused access to three specific telecom providers, which acted as “surveillance entry and transit points” within the telecommunications ecosystem. This access allowed the surveillance vendors and their government clients to conceal their activities behind the infrastructure of these providers. The report specifically identifies:

• 019Mobile (Israel): Used in multiple surveillance attempts.
• Tango Networks U.K.: Exploited for surveillance activity over several years.
• Airtel Jersey: An operator on the Channel Island of Jersey, now owned by Sure, a company previously linked to surveillance campaigns.

Sure CEO Alistair Beak stated to GearTech that the company “does not lease access to signalling directly or knowingly to organisations for the purposes of locating or tracking individuals, or for intercepting communications content.” He further emphasized that Sure implements protective measures, including monitoring and blocking inappropriate signaling, and immediately suspends services upon evidence of misuse.

019Mobile and Tango Networks did not respond to requests for comment.

Targeting ‘High Profile’ Individuals

Citizen Lab’s investigation indicates that the first surveillance vendor facilitated campaigns spanning several years, targeting individuals across the globe and utilizing the infrastructure of multiple cellphone providers. This suggests the involvement of various government clients commissioning these surveillance operations. The researchers describe the operation as “a deliberate and well-funded operation with deep integration into the mobile signaling ecosystem.”

Gary Miller, a researcher involved in the investigation, told GearTech that clues point to an “Israeli-based commercial geo-intelligence provider with specialized telecom capabilities,” though he refrained from naming the specific vendor. Several Israeli companies, including Circles (acquired by NSO Group), Cognyte, and Rayzone, are known to offer similar services.

SS7 and Diameter Exploitation in the First Campaign

The first campaign initially focused on exploiting vulnerabilities in SS7, and subsequently shifted to Diameter when SS7 attempts failed. This demonstrates the attackers’ adaptability and willingness to leverage any available weakness in the network infrastructure.

SIMjacker Attack in the Second Campaign

The second campaign employed a different tactic. The surveillance vendor sent a specialized type of SMS message to a specific “high-profile” target. These text-based messages are designed to communicate directly with the target’s SIM card, bypassing the user interface. While normally used by cellphone providers for legitimate network commands, the vendor repurposed these messages to transform the target’s phone into a location tracking device. This technique, known as SIMjacker, was first documented by mobile cybersecurity company Enea in 2019.

Miller noted, “I’ve observed thousands of these attacks through the years, so I would say it’s a fairly common exploit that’s difficult to detect.” He added that the geographically targeted nature of these attacks suggests that the actors are aware of which countries and networks are most vulnerable to SIMjacker-style exploits.

The Tip of the Iceberg: A Global Problem

Miller emphasized that these two campaigns are merely a small representation of a much larger problem. “We only focused on two surveillance campaigns in a universe of millions of attacks across the globe,” he stated. This underscores the pervasive nature of the threat and the urgent need for comprehensive security measures.

Implications and Future Concerns

The findings from Citizen Lab and other security researchers have significant implications for privacy, security, and human rights. The ability of surveillance firms to exploit telecom infrastructure to track individuals raises concerns about government overreach, corporate accountability, and the potential for abuse. The lack of robust security measures in critical network protocols like SS7 and Diameter creates a persistent vulnerability that can be exploited by malicious actors.

The Rise of Geo-Intelligence

The demand for geo-intelligence – the ability to pinpoint the location of individuals – is driving the growth of the surveillance industry. Companies specializing in geo-intelligence are increasingly offering their services to governments and law enforcement agencies, often with limited oversight or regulation. This trend raises concerns about the potential for misuse and the erosion of privacy.

The Need for Enhanced Security Protocols

Addressing these vulnerabilities requires a multi-faceted approach. Cell providers must prioritize the implementation of robust security features in both Diameter and future network protocols. Stronger authentication and encryption mechanisms are essential to prevent unauthorized access to signaling networks. Furthermore, increased monitoring and anomaly detection can help identify and mitigate suspicious activity.

Regulatory Oversight and Accountability

Governments and regulatory bodies must play a more active role in overseeing the surveillance industry and ensuring accountability. This includes establishing clear guidelines for the use of geo-intelligence technologies, requiring transparency from surveillance vendors, and enforcing strict penalties for abuse. International cooperation is also crucial to address the global nature of this threat.

Protecting Individual Privacy

Individuals can take steps to protect their privacy, such as using encrypted messaging apps, being cautious about clicking on suspicious links, and regularly updating their mobile devices. However, ultimately, the responsibility for protecting privacy lies with governments and the telecommunications industry.

Conclusion

The recent revelations about surveillance firms abusing telco access to track individuals’ locations are deeply concerning. The exploitation of vulnerabilities in SS7 and Diameter, coupled with the deceptive tactics employed by “ghost” companies, highlights the urgent need for stronger security measures, regulatory oversight, and a renewed commitment to protecting individual privacy. This is not just a technical issue; it’s a fundamental question of human rights and the future of a free and open society. Continued research, collaboration, and proactive measures are essential to mitigate this growing threat and safeguard the privacy of individuals worldwide.