Nutcracker framework aids mobile analysis
- Citizen Lab said on April 23 it uncovered two telecom surveillance campaigns that tied real attack traffic to mobile operator signalling infrastructure. - The researchers said the operators mixed SS7, Diameter and malicious SMS, reusing telecom identifiers across years to track targets covertly. - Regulators were already probing SS7 and Diameter weaknesses before this report mapped abuse to carriers and roaming pathways. (citizenlab.ca)
Mobile networks carry calls and texts by passing quiet control messages between carriers, and those same messages can be abused to locate a phone. (citizenlab.ca) (eff.org) Citizen Lab said on April 23 that it found two surveillance campaigns exploiting that carrier-to-carrier layer and linked the traffic to mobile operator signalling infrastructure for the first time. (citizenlab.ca) (cyberscoop.com) The University of Toronto researchers said the actors used customized tools to spoof operator identities, steer messages through selected network paths and hide behind trusted telecom entry points. (citizenlab.ca) (cyberscoop.com) One campaign combined 3G Signaling System 7, or SS7, with 4G-and-most-5G Diameter traffic. Another sent a malicious SMS with hidden SIM card commands to pull location data from a target device. (citizenlab.ca 1) (citizenlab.ca 2) SS7 is the older switching language used across 2G and 3G networks. Diameter is the newer equivalent for 4G and most 5G roaming, but Citizen Lab said operators still run mixed generations side by side. (citizenlab.ca) (eff.org) That overlap matters because a phone roaming across networks can be reachable through both systems at once, creating extra openings even where carriers believe newer protections are in place. (citizenlab.ca) (nextgov.com) Citizen Lab said telemetry from Cellusys showed operator identifiers being reused over multiple years, which let researchers cluster activity into long-running surveillance operations. (citizenlab.ca) The report said the traffic touched infrastructure associated with operators in the United Kingdom, Israel, China, Thailand, Sweden, Italy, Liechtenstein, Cambodia, Mozambique, Uganda, Rwanda, Poland, Switzerland, Morocco, Namibia, Lesotho and Jersey. (citizenlab.ca) (cyberscoop.com) Citizen Lab did not name the surveillance vendors behind the two campaigns, and Ron Deibert said the opacity of telecom signalling makes those operators hard to identify directly. (cyberscoop.com) The Federal Communications Commission opened an inquiry into SS7 and Diameter security in March 2024, and the new Citizen Lab findings add concrete evidence that the abuse is still active. (nextgov.com) (citizenlab.ca) The report’s central point is simple: attackers do not need to hack a phone if they can rent or borrow trust inside the global telecom system. (citizenlab.ca)
