Israeli-linked mobile signaling attacks

Mobile signaling is the plumbing underneath your phone service. It is how carriers ask each other where a device is, whether it is roaming, and how to route calls and t(citizenlab.ca)zen Lab said two covert surveillance campaigns were abusing that system to track people across borders — and one of the operator paths it identified was tied to Israel-based 019Mobile. (citizenlab.ca) ### What actually got exposed? Citizen Lab’s report, “Bad Connection,” says it found two separate (citizenlab.ca)ors mixed older SS7 signaling used in 3G, newer Diameter signaling used in 4G and much of 5G, and in one case a hidden SMS carrying SIM card commands. The point was simple: ask the network where a target is, or make the SIM help reveal it, without leaving the kind of evidence investigators usually find on a handset. (citizenlab.ca) ### Why is mobile signaling such a big deal? (citizenlab.ca) can get access to the global telecom interconnect ecosystem — basically the club carriers use to talk to each other — that attacker can send requests that look like legitimate operator traffic. That makes the surveillance hard to spot and even harder to attribute. (citizenlab.ca) ### Where does the Israel link come in? The strongest public link in this specific report is not “Israel” in the abstract. It is 019Mob(citizenlab.ca)e in a location-tracking operation against one device on November 25, 2024. The same operator-specific route record also showed up again in another tracking event dated March 2025. Citizen Lab did not say 019Mobile itself ran the operation — the report’s point is that surveillance actors can lease or otherwise obtain access through legitimate operator pathways. (citizenlab.ca)he campaigns were persistent and reused operator identifiers over multiple years, which let researchers cluster activity into long-running operations. One campaign combined signaling abuse with malicious SMS aimed at the SIM card, trying to turn the target device into a quiet location beacon. This was not random scanning. It looked like tailored surveillance tradecraft. (citizenlab.ca) ### Why does 4G or 5G not fix this? Because networks overlap. Phones roaming internationally often register across older and n(citizenlab.ca)carriers do not enable or enforce its newer security protections. Basically, the attacker takes whichever route the network leaves open. (citizenlab.ca) ### Does this mean spyware is no longer needed? Not exactly. Phone spyware still gives much richer access. But signaling attacks solve a different problem — quiet, precise, low-friction locati(citizenlab.ca)ontent, but you may get enough to map movement, meetings, and presence. That is often all an intelligence customer needs. This is also why Citizen Lab has long treated telecom surveillance firms like Circles as a separate but serious class of threat. (citizenlab.ca) ##(citizenlab.ca) is that weak screening of interconnect traffic lets surveillance messages ride through trusted channels. If you defend executives, dissidents, journalists, or officials, “the phone looks clean” is no longer enough reassurance when the network itself may be doing the leaking. (citizenlab.ca) ### Bottom line? The news here is not just that mobile signaling can be abused — that part was already known. The shift is that researchers tied real attack traffic t(citizenlab.ca)com weakness into a much more concrete operational warning. (citizenlab.ca)