In a concerning development for mobile security, researchers have uncovered that a surveillance company operating in the Middle East has been exploiting a newly identified vulnerability to track the locations of mobile phone users. This alarming revelation highlights the ongoing risks associated with mobile network security and the potential for misuse of sensitive information.
The vulnerability in question involves circumventing the security measures that telecommunications providers have implemented to safeguard against unauthorized access to SS7, or Signaling System 7. This set of protocols is crucial for global telecommunications, as it facilitates the routing of calls and messages between subscribers worldwide.
SS7 also enables carriers to determine which cell tower a subscriber’s phone is connected to, a function typically utilized for accurate billing when users make international calls or send messages. However, this same capability can be exploited by malicious actors to pinpoint a user’s location without their consent.
Cybersecurity experts from a firm specializing in telecommunications protection reported that they have tracked the unnamed surveillance vendor utilizing this bypass technique since late 2024. This method allows the vendor to access the locations of individuals’ phones discreetly, raising significant privacy concerns.
Cathal Mc Daid, the Vice President of Technology at the cybersecurity firm, shared insights with TechCrunch, noting that the surveillance vendor appeared to focus on a limited number of subscribers, indicating that the attack was not universally effective across all carriers.
According to Mc Daid, the exploitation enables the vendor to narrow down an individual’s location to the nearest cell tower, which can be as precise as a few hundred meters in urban settings. This level of accuracy poses serious implications for personal privacy and security.
The cybersecurity firm has alerted the telecommunications operator affected by this exploit but has chosen not to disclose the identity of the surveillance vendor, only mentioning its base of operations in the Middle East.
Mc Daid expressed concern over the growing trend of malicious entities leveraging such vulnerabilities to track individuals, emphasizing that the existence of these exploits suggests they are being successfully utilized elsewhere.
Surveillance companies, which may include those producing spyware or providing bulk internet traffic services, typically cater to government clients for intelligence-gathering purposes. While governments often justify the use of such technologies against serious criminal activities, there have been numerous instances where these tools have been misused against journalists and activists.
Historically, surveillance vendors have gained access to SS7 through local telecom operators, misused global titles, or government affiliations. However, the nature of these attacks, which occur at the cellular network level, leaves individual phone users with limited options for protection. The responsibility for safeguarding against these threats largely falls on telecommunications companies.
In recent years, many phone carriers have implemented firewalls and other cybersecurity measures to defend against SS7 vulnerabilities. However, the inconsistent security landscape across global networks means that not all carriers, including those in the United States, are equally protected.
A letter sent to Senator Ron Wyden’s office last year revealed that the U.S. Department of Homeland Security had acknowledged vulnerabilities in SS7 as far back as 2017, noting that several countries, including China, Iran, Israel, and Russia, have exploited these weaknesses to target U.S. subscribers. Additionally, Saudi Arabia has been reported to misuse SS7 flaws to surveil its citizens residing in the United States.