Researchers say surveillance service vendors have been caught abusing access to telecom companies to track the locations of people’s phones

Security researchers have uncovered two separate espionage campaigns that exploit known vulnerabilities in the global communications infrastructure to track people’s locations. Researchers say these two campaigns are likely a small snapshot of what they believe is widespread exploitation by surveillance vendors seeking access to global phone networks.

On Thursday, Citizen Lab, a digital rights organization with more than a decade of experience exposing surveillance abuses, published a new report detailing the two newly identified campaigns. The surveillance vendors behind them, which Citizen Lab did not name, operated as “stealth” companies posing as legitimate cellular providers, exploiting their access to those networks to scour the location data of their targets.

The new findings reveal the continued exploitation of known flaws in the technologies that support global phone networks.

One such problem is the lack of security of Signaling System 7, or SS7, a set of protocols for 2G and 3G networks that for years has been the backbone of how cellular networks communicate with each other and route subscriber calls and text messages around the world. Researchers and experts have long warned that governments and surveillance technology makers could exploit vulnerabilities in SS7 to determine the geolocation of individuals’ cell phones, as SS7 does not require authentication or encryption, leaving the door open for rogue operators to abuse it.

The newer protocol, Diameter, designed for newer 4G and 5G connections, is supposed to replace SS7 and includes security features that its predecessor lacked. But as Citizen Lab highlights in this report, there are still ways to exploit Diameter, as cell providers don’t always implement new protections. In some cases, attackers can still revert to exploiting the older SS7 protocol.

The two espionage campaigns had at least one thing in common: They both abused access to three specific telecom providers that repeatedly served as “entry and transit points for surveillance within the telecom ecosystem.” This access gave the surveillance vendors and their government agents behind the campaigns the ability to “hide behind their own infrastructure,” as the researchers explained.

According to the report, the first operator was the Israeli operator 019Mobile, which researchers said was used in several surveillance attempts. British provider Tango Networks UK has also been used for surveillance activities over several years, researchers say.

The third mobile phone provider is Airtel Jersey, an operator on the Channel Island of Jersey now owned by Sure, a company whose networks have been linked to previous surveillance campaigns.

Sure CEO Alistair Peck told TechCrunch that the company “does not directly or intentionally rent access to signals to organizations for the purposes of locating or tracking individuals, or to intercept the content of communications.”

“Sure recognizes the potential for misuse of digital services, which is why we are taking a number of steps to mitigate these risks. Sure has implemented several preventive measures to prevent misuse of signals services, including monitoring and blocking inappropriate signals,” Beak’s statement said. “Any evidence or valid complaint regarding misuse of the Sure network will result in immediate suspension of the service, and permanent termination if malicious or inappropriate activity is confirmed after investigation.”

019Mobile and Tango Networks did not respond to a request for comment.

Researchers say “high-profile” people were targeted

According to Citizen Lab, the first surveillance vendor facilitated multi-year espionage campaigns against various targets around the world, using the infrastructure of many different mobile phone providers. This led researchers to conclude that different government agents of the surveillance resource were behind the different campaigns.

“The evidence shows a deliberate, well-funded operation with deep integration into the mobile signaling ecosystem,” the researchers wrote.

Gary Miller, one of the researchers who investigated these attacks, told TechCrunch that some signs point to “an Israel-based commercial geo-intelligence provider with specialized communications capabilities,” but he did not name the surveillance provider. Several Israeli companies are known to provide similar services, such as Circles (later acquired by spyware maker NSO Group), Cognyte, and Rayzone.

According to the Citizen Lab website, the first campaign relied on trying to exploit flaws in SS7, then switching to exploiting Diameter if those attempts failed.

The second espionage campaign used different methods. In this case, the other surveillance provider behind it — also not mentioned by Citizen Lab — relied on sending a special type of SMS to a specific “high-level” target, the researchers explained.

These are text messages designed to communicate directly with the target’s SIM card, without showing any trace of it to the user. Under normal circumstances, these messages are used by mobile phone providers to send harmless commands to subscribers’ SIM cards used to keep the device connected to their network. But the surveillance vendor instead sent commands that turned the target’s phone into a location-tracking device, according to the researchers. This type of attack was dubbed SIMjacker by mobile cybersecurity company Enea in 2019.

“I’ve observed thousands of these attacks over the years, so I would say it’s a fairly common exploit and difficult to detect,” Miller said. “However, these attacks appear to be geographically targeted, suggesting that actors using SIMjacker-style attacks likely know which countries and networks are most vulnerable to them.”

Miller explained that these two campaigns are just the tip of the iceberg. “We only focused on two surveillance campaigns in a world with millions of attacks around the world,” he said.