Surveillance Vendors Caught Abusing Access to Telcos to Track People’s Phone Locations, Researchers Say

The signaling protocols that glue together the world’s cellular networks have long been a security blind spot. SS7, the legacy backbone for 2G and 3G, lacks authentication and encryption, allowing any entity with network access to query a subscriber’s location. Although Diameter was introduced with stronger safeguards for 4G and 5G, inconsistent implementation leaves many operators vulnerable to the same exploits. Researchers have repeatedly warned that these gaps enable rogue actors to infiltrate the mobile ecosystem, but the scale of abuse remains difficult to quantify.

Citizen Lab’s latest report details two sophisticated campaigns that illustrate the problem. In the first, unnamed surveillance vendors created “ghost” carrier fronts—019Mobile in Israel, Tango Networks in the UK, and Airtel Jersey under Sure’s ownership—to gain privileged signaling access. By toggling between SS7 and Diameter, they could continuously geolocate targets worldwide. The second campaign employed a stealthy SIMjacker technique: specially crafted SMS messages that silently reprogram a victim’s SIM card, converting the phone into a covert tracker. Both operations focused on high‑profile individuals, suggesting state‑level sponsorship and a broader market for commercial geo‑intelligence services.

The revelations pressure telecoms and regulators to tighten oversight of signaling services. While Sure publicly cites monitoring and blocking measures, the persistence of these attacks indicates that current safeguards are insufficient. Industry bodies may need to mandate end‑to‑end encryption for signaling traffic and enforce stricter vetting of third‑party access. As mobile networks evolve toward 5G, the balance between functionality and privacy will hinge on proactive security standards, lest the infrastructure continue to serve as a backdoor for surveillance worldwide.