A recent investigation by Citizen Lab has uncovered sophisticated, multi-year surveillance campaigns exploiting foundational vulnerabilities in global mobile networks.
The report, titled “Bad Connection,” reveals how suspected commercial surveillance vendors (CSVs) weaponize the SS7 and Diameter signaling protocols to covertly track high-profile individuals across the globe without interacting directly with their devices.
These findings underscore a critical failure in the interconnected telecommunications ecosystem, where protocols originally designed for seamless international connectivity are repeatedly abused for espionage.
The Flaws in SS7 and Diameter Protocols
The core issue stems from Signaling System No. 7 (SS7), an older protocol utilized by 3G networks. SS7 was built on a model of inherent trust among operators and lacks robust security mechanisms like authentication and encryption.
Because operators can purchase or lease access to the signaling backbone through third parties, threat actors can inject malicious queries directly into the network.
By sending routine signaling requests, such as “Provide Subscriber Information,” attackers can trick carriers into revealing the specific cell tower to which a mobile device is connected, enabling location tracking with alarming accuracy.
attack flow ( Source: Citizen Lab)
Although the Diameter protocol was developed to secure 4G and early 5G networks with improved authentication policies, researchers emphasize that it remains highly vulnerable. Because modern mobile networks still rely on SS7 for legacy compatibility, attackers exploit “combined attach” functionalities.
Campaign FocusPrimary ProtocolAttack MechanismTarget ScopeSTA1SS7 and Diameter switchingSpoofed operator identities across 9 countries to evade firewalls .High-profile telecommunications executives (“VVIPs”) .STA2Direct device exploitationSent malicious SMS with hidden SIM commands to extract location .Broad tracking capabilities .
By simultaneously querying both 3G and 4G networks, attackers can bypass Diameter firewalls, effectively downgrading the secure connection and exploiting older SS7 flaws to complete their location-tracking operations.
“Ghost Operators” and Commercial Surveillance
Citizen Lab’s analysis linked real-world attack traffic directly to mobile operator signaling infrastructure across multiple nations, indicating the use of sophisticated, centralized surveillance tools.
By spoofing the identities of legitimate operators, CSVs function as “Ghost Operators,” allowing their malicious queries to blend seamlessly with routine international roaming data. This prevents targeted networks from immediately identifying or blocking the surveillance attempts.
Network Path Exploited (Source: Citizen Lab)
These capabilities are highly sought after by intelligence agencies, governments, and private actors.
The surveillance vendors sell access to platforms that bypass two-factor authentication, intercept calls and SMS messages, and track physical movements, all without deploying malware to the target’s phone.
The findings by Citizen Lab align with growing concerns from government entities and cybersecurity professionals.
Organizations such as the Federal Communications Commission have initiated probes into SS7 and Diameter vulnerabilities, urging operators to acknowledge and address these inherent structural flaws.
However, isolated protocol upgrades are insufficient. Cybersecurity firms note that because SS7 and Diameter coexist through interworking functions in most modern network environments, securing just one protocol leaves the door open to cross-protocol attacks.
To effectively neutralize these threats, telecom carriers must implement comprehensive, unified signaling firewalls capable of cross-correlating traffic across all generations of network protocols to detect anomalies and block unauthorized tracking requests.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
