Can any mobile device be considered truly secure when the fundamental protocols of global telecommunications remain inherently vulnerable to exploitation? Recent findings from Citizen Lab suggest the answer is increasingly no. Security researchers have uncovered two separate spying campaigns where surveillance vendors abuse well-known weaknesses in global telecommunications infrastructure to track individual locations.

These operations do not rely on traditional malware installed on a handset. Instead, they focus on the manipulation of the very signaling pathways that allow cellular networks to communicate with one another across borders.

Exploiting the SS7 and Diameter Vulnerabilities

The vulnerability lies within the aging architecture that manages how calls and text messages are routed globally. For decades, Signaling System 7 (SS7) has served as the essential backbone for 2G and 3G networks. However, it was built without modern requirements for authentication or encryption. This architectural oversight allows rogue operators to query the network for a subscriber's location with minimal resistance.

While the industry has attempted to migrate to Diameter, a more secure protocol designed for 4G and 5G communications, the transition is far from seamless. Researchers noted that even when newer protocols are in use, many providers fail to implement necessary security features correctly.

This creates a window of opportunity for attackers to exploit Diameter or simply "fall back" to the older, broken SS7 standard. The result is a persistent gap in the global defense perimeter, allowing sophisticated actors to bypass modern device security by targeting the network itself.

How Surveillance Vendors Use Ghost Networks

The identified campaigns utilized "ghost" companies—entities that masqueraded as legitimate cellular providers to gain unauthorized access to the telecommunications ecosystem. By operating under the guise of standard roaming or transit services, these surveillance vendors could piggyback on existing infrastructure to track targets without triggering traditional security alerts.

Researchers identified several specific points within the global network used as entry and transit points for these activities:

  • 019Mobile: An Israeli operator identified in several surveillance attempts.
  • Tango Networks U.K.: A British provider utilized for tracking activity over a period of several years.
  • Airtel Jersey: An operator on the Channel Island of Jersey, linked to networks previously associated with surveillance campaigns.

The SIMjacker Threat

Beyond the exploitation of signaling protocols, the report detailed a more insidious method known as SIMjacker. This technique involves sending specialized, invisible SMS messages directly to a target's SIM card.

These messages are designed to communicate with the hardware at a level below the user interface, meaning they leave no trace on the phone's screen. By executing specific commands, these messages can essentially turn a standard smartphone into an active location-tracking beacon, all while the owner remains entirely unaware of the breach.

A Systemic Failure of Trust

The scale of this issue extends far beyond isolated incidents of corporate espionage. While researchers focused on two specific campaigns, they warned that these findings represent only a small snapshot of what is likely a much larger, global phenomenon.

The presence of specialized geo-intelligence providers—some allegedly based in Israel—suggests a well-funded and highly integrated industry dedicated to exploiting these network gaps for government customers.

The verdict for the telecommunications industry is clear: current mitigation strategies are failing to keep pace with the sophistication of modern threats. While some operators, such as Sure, have implemented monitoring and blocking measures to prevent the misuse of signaling services, the inherent flaws in the protocols themselves remain a structural liability. Until the global ecosystem moves toward a unified, authenticated, and encrypted standard for all signaling traffic, the privacy of mobile users will remain fundamentally at risk.