Surveillance firms accused of exploiting telecom access to track phone locations

Security researchers have uncovered two separate spying campaigns that are allegedly abusing long-known weaknesses in global telecommunications infrastructure to track individuals’ locations. According to researchers, these cases likely represent only a small portion of broader surveillance activity tied to companies attempting to exploit access to global mobile networks.

On Thursday, digital rights organisation Citizen Lab published a detailed report describing the two newly identified campaigns. The group, which has spent more than a decade investigating digital surveillance abuses, said the surveillance vendors involved were operating as so-called “ghost” companies. These entities reportedly posed as legitimate mobile service providers and used privileged network access to retrieve location data of targeted individuals.

The findings highlight ongoing exploitation of long-recognised vulnerabilities in the systems that power global mobile communications.

One of the key weaknesses involves Signalling System 7 (SS7), a set of protocols used in 2G and 3G networks. SS7 has historically served as the backbone for routing calls and text messages between mobile networks worldwide. However, security experts have repeatedly warned that it can be abused to track phone locations due to its lack of strong authentication and encryption, allowing unauthorised actors to exploit it.

While newer 4G and 5G networks use a more modern protocol called Diameter, which was designed to address SS7’s security flaws, Citizen Lab noted that vulnerabilities still exist. In practice, not all telecom providers fully implement Diameter’s security protections, and in some cases, attackers can still exploit SS7 weaknesses.

According to the report, both surveillance campaigns shared a common pattern: they relied on access to three telecom providers that acted as “surveillance entry and transit points” within the global telecommunications ecosystem. This access enabled operators and their government clients to mask their activities by routing through legitimate infrastructure.

The first identified provider is Israeli operator 019Mobile, which researchers said was involved in multiple surveillance attempts. The second is UK-based Tango Networks, which was reportedly used in surveillance-related activity over several years. The third is Airtel Jersey, a Channel Islands-based operator now owned by Sure, a company whose infrastructure has previously been linked to surveillance-related incidents.

Sure, CEO Alistair Beak responded to the findings, stating that the company “does not lease access to signalling directly or knowingly to organisations for the purposes of locating or tracking individuals, or for intercepting communications content.”

Beak added that while misuse of digital services is possible, the company has implemented safeguards to mitigate such risks. “Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling,” he said. “Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”

Separately, Gil Nagar, head of IT and security at 019Mobile, sent a letter to Citizen Lab stating that the company “cannot confirm” whether the infrastructure identified in the report actually belongs to them.

High-profile targets identified

Citizen Lab researchers said the first surveillance campaign operated over several years and targeted individuals across multiple regions using infrastructure from different telecom providers. This led researchers to conclude that multiple government clients were likely involved in different phases of the operation.

“The evidence shows a deliberate and well-funded operation with deep integration into the mobile signalling ecosystem,” the researchers wrote in their report.

Researcher Gary Miller, who participated in the investigations, said that indicators suggest involvement from an “Israeli-based commercial geo-intelligence provider with specialised telecom capabilities,” although no specific company was named. Firms such as Circles (later acquired by NSO Group), Cognyte, and Rayzone are known to operate in similar areas of telecom intelligence and surveillance.

The first campaign reportedly attempted to exploit SS7 vulnerabilities and switched to Diameter when those attempts failed.

The second campaign used a different approach. According to Citizen Lab, this operation relied on sending specially crafted SMS messages to a “high-profile” target. These messages interact directly with a SIM card without displaying any visible notification to the user.

Under normal conditions, mobile operators use such messages to send background configuration updates to SIM cards. However, in this case, researchers say the messages were used to issue commands that effectively transformed a mobile device into a location-tracking tool. This technique aligns with an attack method known as SIMjacker, first disclosed by cybersecurity researchers in 2019.

“I’ve observed thousands of these attacks through the years, so I would say it’s a fairly common exploit that’s difficult to detect,” Miller said. He added that the geographically targeted nature of the attacks suggests operators were aware of which countries and networks were most vulnerable.

Miller also emphasised that the findings likely represent only a fraction of global activity. “We only focused on two surveillance campaigns in a universe of millions of attacks across the globe,” he said.