The Invisible Shadow: How Signaling Vulnerabilities Enable Global Mobile Surveillance

A groundbreaking investigation by Citizen Lab has pulled back the curtain on a series of sophisticated, multi-year surveillance campaigns that exploit the very architecture of our global mobile networks. This isn’t about hacking a smartphone through a malicious app; it is something much more fundamental and difficult to detect.

The report, titled “Bad Connection,” details how suspected Commercial Surveillance Vendors (CSVs) weaponize the underlying signaling protocols—specifically SS7 and Diameter—to track high-profile targets globally. By exploiting the “handshakes” that allow different cellular networks to talk to one another, these actors can pinpoint a user’s location without ever needing to touch the target’s physical device.

These findings reveal a systemic fragility in our interconnected telecommunications ecosystem, where protocols designed decades ago for seamless international roaming are now being hijacked for high-level espionage.

Technical Deep Dive: The Flaws in SS7 and Diameter Protocols

To understand this threat, we have to look at the “language” mobile networks use to communicate. The primary culprit is Signaling System No. 7 (SS7), the legacy protocol used by 3G networks. When SS7 was conceived, the telecommunications world operated on a foundation of absolute trust between national carriers. Consequently, it lacks the modern security requirements we take for granted today, such as robust cryptographically-backed authentication and end-to-end encryption.

Because global connectivity requires third-party intermediaries to lease access to the signaling backbone, threat actors can essentially “rent” a seat at the table. Once they have access, they can inject malicious queries into the network stream. For example, by masquerading as a legitimate roaming partner and issuing a Provide Subscriber Information request, an attacker can trick a carrier into revealing exactly which cell tower a device is currently pinging, resulting in highly accurate real-time location tracking.

Attack flow diagram showing SS7/Diameter exploitation
Visualizing the attack flow: How signaling queries bypass standard security (Source: Citizen Lab)

While the industry moved toward the Diameter protocol for 4G and early 5G networks to introduce better security policies, it hasn’t solved the problem. Due to the necessity of backward compatibility, modern networks must maintain “interworking functions” to communicate with older 3G systems. Attackers exploit this via “combined attach” maneuvers—essentially forcing a protocol downgrade to bypass the more secure Diameter firewalls and exploit the weaker SS7 vulnerabilities.

Campaign ID Primary Protocol Attack Mechanism Target Scope
STA1 SS7 & Diameter Switching Spoofing operator identities across 9 countries to circumvent network firewalls. High-value targets (VVIPs) and telecom executives.
STA2 Direct Device Exploitation Deploying malicious SMS containing hidden SIM commands to extract location data. Broad-spectrum mobile user tracking.

“Ghost Operators” and the Business of Surveillance

Citizen Lab’s analysis successfully traced real-world attack traffic back to legitimate mobile operator infrastructure, suggesting the use of highly centralized, professionalized surveillance tools.

By spoofing the identity of a valid mobile network operator, these CSVs act as “Ghost Operators.” Their malicious signaling traffic is indistinguishable from routine international roaming data, making it nearly impossible for a standard carrier to flag the activity as an intrusion. They aren’t “hacking” the network so much as they are “using” it exactly as it was designed—just with malicious intent.

Network Path Exploited
The exploited network path: How malicious queries travel through legitimate infrastructure (Source: Citizen Lab)

This “low-footprint” approach is incredibly lucrative. These vendors offer platforms to intelligence agencies and private actors that can intercept SMS (facilitating 2FA bypass), listen to calls, and track physical movement—all without requiring a single piece of malware to be installed on the victim’s phone.

The Path Forward: Beyond Isolated Fixes

The implications of this research are a wake-up call for global regulators. While organizations like the Federal Communications Commission (FCC) have begun investigating these vulnerabilities, a simple patch is not coming. Because SS7 and Diameter are inextricably linked through interworking functions, securing one while leaving the other exposed is like locking the front door but leaving the windows wide open.

To achieve true resilience, the telecommunications industry must move toward unified signaling firewalls. These systems must be capable of cross-protocol correlation—analyzing traffic across 3G, 4G, and 5G simultaneously to detect the subtle anomalies and “protocol hopping” that signal a sophisticated surveillance attempt in progress.

Related Articles

Back to top button