Surveillance Vendors Exploit Global Telecom Infrastructure for Location Tracking

Surveillance companies have infiltrated global telecommunications infrastructure by masquerading as legitimate cellular providers, exploiting decades-old protocol vulnerabilities to track mobile phone locations across international networks, according to new research from Citizen Lab.

The Toronto-based digital rights organization published findings Thursday detailing two newly identified surveillance campaigns that abuse weaknesses in SS7 and Diameter protocols, the signaling systems that enable mobile networks to communicate globally. The report documents how surveillance actors manipulated network signaling data to trigger responses from target users' home networks by issuing signaling messages directed at mobile phone identities (IMSI).

Vietnamese State Operator Targets African Users

From November 2022 to June 2023, Vietnam mobile operator Gmobile conducted systematic location tracking attacks using SS7 surveillance operations, the research found. Gmobile, owned by GTel Mobile and the Vietnam Ministry of Public Security, deployed five different SS7 Global Titles to conduct surveillance operations targeting mobile users across African countries.

The Vietnam Ministry of Public Security has faced previous accusations of human rights violations including censorship and restrictions on internet freedom, according to the Citizen Lab report.

During the first half of 2023, Mobile Surveillance Monitor identified approximately 171 networks from 100 source countries that sent targeted geolocation tracking messages to mobile operator networks in Africa, illustrating the scope of unauthorized surveillance activities across the continent.

Ghost Companies Infiltrate Network Access Points

The research identified surveillance vendors operating as "ghost" companies that obtained network access by pretending to be legitimate cellular providers. Three operators were specifically named in surveillance activities: Israeli operator 019Mobile, British provider Tango Networks U.K., and Airtel Jersey, a Channel Island operator now owned by Sure.

Gil Nagar, head of IT and security at 019Mobile, told researchers the company cannot confirm that alleged 019Mobile infrastructure belongs to the company. Sure CEO Alistair Beak stated that the company does not knowingly lease access to signaling for the purposes of locating or tracking individuals.

Worth flagging: These denials highlight the challenge of attributing surveillance activities when bad actors may be spoofing legitimate network identifiers or exploiting compromised infrastructure without operators' knowledge.

Protocol Vulnerabilities Enable Mass Surveillance

SS7 protocols for 2G and 3G networks do not require authentication or encryption, leaving them fundamentally vulnerable to abuse by rogue operators. While the newer Diameter protocol designed for 4G and 5G communications includes enhanced security features, it remains exploitable when cellular providers fail to implement proper security protections.

The IPX (IP eXchange) architecture specifies that only mobile network operators should connect to international signaling networks, not third-parties who could expose users to unauthorized geolocation surveillance. However, enforcement of these restrictions remains inconsistent across global telecommunications infrastructure.

In this author's view, having covered the initial SS7 vulnerability disclosures over a decade ago, the persistence of these attacks reflects the telecommunications industry's struggle to balance operational flexibility with security hardening. The same interconnectedness that enables seamless global roaming also creates attack vectors that surveillance companies have learned to exploit systematically.

Broader Surveillance Ecosystem

The telecom surveillance findings emerge alongside growing concerns about location tracking through other vectors. Police and intelligence agencies are using phone advertising data to track people through systems like Webloc, built by Cobwebs and sold by Penlink, which feeds data from up to 500 million devices.

Law enforcement agencies have deployed tools like Fog Reveal to search hundreds of billions of records from 250 million mobile devices, often without search warrants. Local agencies use this data to create "patterns of life" analyses that track people's movements months back in time.

Major U.S. carriers—Verizon, AT&T, Sprint, and T-Mobile—pledged to stop providing phone owners' location information to data brokers, though data broker LocationSmart maintains it does not provide access to location information without user consent.

Legal Challenges Mount

The surveillance activities have prompted legal action across multiple jurisdictions. In July 2021, the Gulf Center for Human Rights filed a complaint in France against NSO Group alleging the company is responsible for harm caused to human rights defenders in the Middle East and North Africa region. Human rights lawyer Arnon Nampa and legal reform advocate Yingcheep Atchanont filed a case in Thai court in June 2023 against various Thai state agencies accused of privacy violations with NSO Group's Pegasus spyware.

The U.S. Supreme Court has agreed to decide the constitutionality of broad search warrants that collect cellphone users' location history to find people near crime scenes, after a federal appeals court in New Orleans ruled that geofence warrants violate the Fourth Amendment's ban on unreasonable searches.

Regulatory Responses Vary Globally

Different jurisdictions are taking varied approaches to location surveillance oversight. India's government is reviewing a telecom industry proposal to force smartphone firms to enable satellite location tracking that is always on, despite protests from Apple, Google, and Samsung.

Analysis: The telecommunications industry faces a fundamental tension between maintaining the open, interoperable protocols that enable global connectivity and implementing security measures that could complicate legitimate network operations. The SS7 protocol, developed in the 1970s, predates modern security concerns by decades, yet remains essential for international roaming and emergency services.

The research underscores how state-sponsored surveillance operations can leverage the same protocol vulnerabilities that affect commercial surveillance vendors, creating a complex threat landscape where distinguishing legitimate network traffic from malicious surveillance becomes increasingly difficult for network operators.

As mobile networks continue their transition to 5G infrastructure, the window for addressing these fundamental protocol vulnerabilities is narrowing. The choice between maintaining backward compatibility with legacy systems and implementing comprehensive security overhauls will determine whether the next generation of mobile infrastructure remains vulnerable to the same surveillance techniques that have plagued cellular networks for over a decade.