Surveillance vendors caught abusing telecom access to track people’s phone locations, researchers say

Security researchers have discovered two separate spying campaigns that exploit known weaknesses in the global telecommunications infrastructure to track people’s locations. Researchers say the two campaigns are a small snapshot of what they believe is likely widespread exploitation by surveillance vendors seeking access to global phone networks.

On Thursday, Citizen Lab, a digital rights organization with more than a decade of experience exposing surveillance abuses, published a new report details of two newly defined campaigns. The surveillance vendors behind them, which Citizen Lab did not name, operated as “shell” companies posing as legitimate mobile providers and revoking access to those networks to look for their targets’ location data.

The new findings reveal the continued exploitation of known flaws in the technologies that underpin global telephone networks.

One is the vulnerability of Signaling System 7, or SS7, a set of protocols for 2G and 3G networks that has for years been the basis of how mobile networks interconnect and route subscribers’ calls and text messages around the world. Researchers and experts they had warned a long time ago governments and surveillance technology manufacturers can exploit vulnerabilities in SS7 to geolocate individuals’ cell phones because SS7 does not require authentication and encryption, leaving the door open for rogue operators to abuse it.

A newer protocol designed for newer 4G and 5G communications, Diametr is supposed to replace SS7 and includes security features that its predecessor lacked. But as Citizen Lab points out in this report, there are still ways to use Diameter because cell providers don’t always implement the new protections. In some cases, attackers can still continue to use the old SS7 protocol.

The two espionage campaigns have at least one thing in common: Both repeatedly abused access to three specific telecommunications providers that act “as surveillance access and transit points in the telecommunications ecosystem.” As the researchers explained, this access allowed the surveillance vendors behind the campaigns and their government clients to “hide behind their infrastructure.”

The first is reportedly Israeli operator 019Mobile, which researchers say was used in several surveillance attempts. British provider Tango Networks UK has also been used for surveillance for several years, researchers say.

A third mobile phone provider, Airtel Jersey, an operator on the Channel Island of Jersey, is now owned by Sure, which owns networks. linked to previous surveillance campaigns.

Amin CEO Alistair Beak told TechCrunch that the company “does not directly or knowingly lease alarm access to organizations to locate or track individuals or intercept communications content.”

“Of course, we recognize that digital services can be abused, so we take a number of steps to mitigate this risk. We have, of course, put in place a number of safeguards to prevent abuse of our signaling services, including monitoring and blocking inappropriate signals,” Beak said in a statement. “Any evidence or substantiated complaint of abuse of Sure’s network results in immediate termination of service and permanent suspension if malicious or inappropriate activity is confirmed after investigation.”

019Mobile and Tango Networks did not respond to a request for comment.

Researchers say ‘high profile’ people are being targeted

According to Citizen Lab, the first surveillance vendor facilitated several years of spying campaigns against various targets around the world and used the infrastructure of several different cell phone providers. This led researchers to conclude that different government clients of the surveillance vendor were behind the various campaigns.

“The evidence points to a well-thought-out and well-funded operation with deep integration into the mobile signaling ecosystem,” the researchers said.

Gary Miller, one of the researchers investigating the attacks, told TechCrunch that some clues point to “a commercial geo-intelligence provider based in Israel with special telecommunications capabilities,” but did not name the surveillance provider. Several Israeli companies are known to offer similar services, such as Circles (later acquired by spyware maker NSO Group), Cognyte, and Rayzone.

According to Citizen Lab, the first campaign was based on trying to exploit flaws in SS7 and then switching to using Diameter if those attempts failed.

The second spy campaign used different methods. In this case, the other surveillance vendor behind it—Citizen Lab, which is also unnamed—relied on sending a specific SMS message to a specific “high-profile” target, as the researchers explained.

These are text-based messages designed to communicate directly with the target’s SIM card without leaving any traces to the user. Under normal circumstances, these messages are used by mobile phone providers to send harmless commands to the SIM cards used to keep the device connected to their subscribers’ networks. According to the researchers, the surveillance vendor instead sent commands that turned the target’s phone into a location tracking device. This type of attack was called SIMjacker in 2019 by mobile cybersecurity company Enea.

“I’ve seen thousands of these attacks over the years, so I’d say it’s a fairly common exploit that’s hard to detect,” Miller said. “However, these attacks are geographically targeted, indicating that actors using SIMjacker-style attacks are likely to know the countries and networks most vulnerable to them.”

Miller made it clear that these two campaigns are only the tip of the iceberg. “We focused on just two surveillance campaigns in a universe of millions of attacks worldwide,” he said.