Telco location‑tracking abuse

Mobile carriers trust one another’s networks to route calls and texts, and Citizen Lab said two covert surveillance campaigns abused that trust to track people’s phones across borders. (citizenlab.ca) Citizen Lab published the report on April 23, 2026 after starting its investigation in late 2024 with data from mobile signalling firewall logs and intelligence from security firm Cellusys. The researchers said they linked real attack traffic to operator signalling infrastructure for the first time. (citizenlab.ca; cyberscoop.com) The operators posed as legitimate telecom companies, used custom tools to spoof carrier identities, and switched between Signaling System 7, or SS7, and Diameter, the signalling systems used by 3G and 4G and much of 5G networks. In one campaign, Citizen Lab said the attacker also sent a malicious text message with hidden SIM card commands to turn a phone into a tracking beacon. (citizenlab.ca; techcrunch.com) SS7 is the control system that lets mobile networks find subscribers and hand off calls, but researchers have warned for years that weak authentication lets rogue operators query a phone’s location. Diameter was built as a more secure replacement, yet Citizen Lab said carriers do not always enable those protections and attackers can still fall back to older paths. (techcrunch.com; docs.fcc.gov) Citizen Lab said the campaigns used identifiers and infrastructure tied to operators in at least 17 places, including the United Kingdom, Israel, China, Thailand, Sweden, Italy, Liechtenstein, Cambodia, Mozambique, Uganda, Rwanda, Poland, Switzerland, Morocco, Namibia, Lesotho, and Jersey. The report said the activity could persist for years without detection because inter-carrier traffic is screened unevenly. (citizenlab.ca) TechCrunch reported that both campaigns repeatedly abused access through three telecom providers that acted as entry or transit points, including Israeli operator 019Mobile and British provider Tango Networks U.K. Citizen Lab did not say those carriers knowingly participated, and the researchers said the vendors hid behind legitimate infrastructure. (techcrunch.com; citizenlab.ca) The findings land as regulators are already tightening rules around telecom signalling access. In April 2025, Ofcom said leased Global Titles, the routing addresses used in mobile signalling, had become “one of the most significant and persistent sources of malicious signalling,” and it barred new leases immediately while ordering most existing leases to end by April 22, 2026. (ofcom.org.uk; ofcom.org.uk) In the United States, the Federal Communications Commission asked for comment in 2024 on whether carriers’ defenses against SS7 and Diameter abuse were actually stopping location tracking through mobile devices. CyberScoop reported that Senator Ron Wyden also sought a Cybersecurity and Infrastructure Security Agency report on those vulnerabilities. (docs.fcc.gov; cyberscoop.com) Citizen Lab said it could not identify the two vendors or the government customers behind them, and director Ron Deibert said the opacity of telecom signalling lets surveillance firms operate without revealing who they are. The report’s bottom line was narrower and harder to fix than a spyware infection: the phone network itself can be the tracking tool. (cyberscoop.com; citizenlab.ca)