Global Telecoms Under Siege: “Ghost” Vendors Exploit Network Flaws to Track Your Every Move

In a stark reminder of the pervasive threats lurking within our global communications infrastructure, a recent report by the Citizen Lab has unearthed two distinct, yet equally insidious, spying campaigns. These operations are actively leveraging well-documented weaknesses in the foundational protocols of cellular networks to pinpoint the locations of individuals, operating under the radar as “ghost” companies. The findings paint a troubling picture, suggesting that these are but a glimpse into what researchers believe is a widespread and systematic exploitation of global phone networks by surveillance vendors and their state-sponsored clients.

The Citizen Lab, a digital rights organization with a commendable track record of exposing surveillance abuses, detailed these newly identified campaigns in a comprehensive report published on Thursday. The perpetrators are not your typical cybercriminals; they are surveillance vendors who masquerade as legitimate cellular providers, piggybacking on existing network access to clandestinely obtain and exploit location data from their targets. This sophisticated deception highlights a critical vulnerability at the heart of how our phones connect and communicate.

The Vulnerable Backbone: SS7 and Diameter Exploited

At the core of these spying operations lies the continued exploitation of known architectural flaws within the very technologies that underpin our global phone networks. For years, experts have warned about the gaping security holes in Signaling System 7 (SS7), the set of protocols that served as the backbone for 2G and 3G networks. SS7’s fundamental design, lacking built-in authentication or encryption, has long been a siren call for rogue operators, allowing them to geolocate cell phones with alarming ease. Governments and surveillance tech makers have consistently exploited these vulnerabilities, turning what should be a secure communication pathway into an open door for tracking.

While the newer Diameter protocol was designed to replace SS7 for 4G and 5G communications, theoretically addressing its predecessor’s security shortcomings, the reality is far from ideal. As Citizen Lab’s report underscores, the implementation of Diameter’s enhanced protections is often inconsistent across cell providers. This creates an environment where attackers can still find avenues for exploitation, or, in many cases, simply fall back to abusing the older, more vulnerable SS7 protocol, effectively bypassing newer safeguards. The fragmented nature of global telecom security leaves billions of users exposed.

Unmasking the Conduits: Telecom Providers as “Entry Points”

A common thread binding both newly identified spy campaigns is their reliance on access to three specific telecom providers. These operators, according to the researchers, have repeatedly functioned as “the surveillance entry and transit points within the telecommunications ecosystem.” This crucial access has allowed the shadowy surveillance vendors and their government clients to “hide behind their infrastructure,” effectively anonymizing their illicit tracking activities.

The report specifically names Israeli operator 019Mobile, which was allegedly used in numerous surveillance attempts. Similarly, British provider Tango Networks U.K. is cited for facilitating surveillance activity over several years. The third implicated entity is Airtel Jersey, an operator on the Channel Island of Jersey, now under the ownership of Sure. Notably, Sure’s networks have been previously linked to surveillance campaigns, raising persistent concerns.

In response to the allegations, Sure CEO Alistair Beak provided a statement to TechCrunch, asserting that the company “does not lease access to signalling directly or knowingly to organisations for the purposes of locating or tracking individuals, or for intercepting communications content.” Beak further clarified, “Sure acknowledges that digital services can be misused, which is why we take a number of steps to mitigate this risk. Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling. Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”

However, the other implicated providers, 019Mobile and Tango Networks, notably did not respond to requests for comment, leaving critical questions about their roles unanswered.

Two Campaigns, Distinct Tactics, Shared Goal: Tracking ‘High Profile’ Targets

The Citizen Lab’s investigation differentiates between two primary surveillance operations, both demonstrating deep integration into the mobile signaling ecosystem.

The Persistent Multi-Year Operation

The first surveillance vendor, unnamed by Citizen Lab, orchestrated spying campaigns spanning multiple years, targeting individuals across the globe. This operation leveraged the infrastructure of various cellphone providers, leading researchers to conclude that diverse government customers were likely behind these coordinated efforts. The evidence, according to the researchers, points to “a deliberate and well-funded operation with deep integration into the mobile signaling ecosystem.”

Gary Miller, one of the lead researchers, hinted to TechCrunch that clues suggest an “Israeli-based commercial geo-intelligence provider with specialized telecom capabilities.” While the specific vendor remains unconfirmed by Citizen Lab, several Israeli companies such as Circles (now part of NSO Group), Cognyte, and Rayzone are known players in the commercial geo-intelligence market. This campaign notably employed a multi-pronged approach, first attempting to exploit SS7 flaws, and then seamlessly switching to Diameter exploitation if the initial attempts proved unsuccessful.

The Covert SIM-Level Attack (SIMjacker)

The second spy campaign utilized a different, arguably more insidious, method. This other unnamed surveillance vendor focused on sending a unique type of SMS message to a specific “high-profile” target. These are not ordinary text messages; they are specially crafted, text-based commands designed to communicate directly with the target’s SIM card, leaving no visible trace on the user’s device.

Under normal circumstances, cellular providers use these messages for innocuous network commands, such as ensuring a device remains connected. However, in this surveillance campaign, the vendor weaponized these messages, sending commands that effectively transformed the target’s phone into a discreet location tracking device. This type of attack, dubbed SIMjacker by mobile cybersecurity company Enea in 2019, demonstrates a sophisticated understanding of network protocols and SIM card functionalities.

“I’ve observed thousands of these attacks through the years, so I would say it’s a fairly common exploit that’s difficult to detect,” Miller commented. He added that these attacks appear to be “geographically-targeted, indicating that actors employing SIMjacker-style attacks likely know the countries and networks most vulnerable to them.”

Miller’s final assessment serves as a sobering warning: these two campaigns are merely the “tip of the iceberg.” “We only focused on two surveillance campaigns in a universe of millions of attacks across the globe,” he emphasized, underscoring the vast, unseen landscape of digital surveillance.

The Bottom Line

The revelations from Citizen Lab are a stark reminder that the foundational security of our global telecommunications infrastructure remains alarmingly fragile. The ability of “ghost” surveillance vendors, likely backed by state actors, to exploit decades-old vulnerabilities in SS7 and incomplete implementations of newer protocols like Diameter, poses a profound threat to individual privacy, national security, and democratic processes worldwide. As our lives become increasingly digital, relying on mobile connectivity for everything from communication to commerce, the imperative for robust, authenticated, and encrypted network protocols is no longer a technical nicety but an urgent global security mandate. Without comprehensive and consistent security upgrades across the global telecom ecosystem, the promise of secure mobile communication will continue to be undermined by a shadowy industry profiting from our vulnerabilities.