SS7 Attack Used to Track Phone Locations | Surveillance Vendor Exposed

New Attack Exploits Cellular Networks to Reveal Subscriber Locations

Cybersecurity researchers have identified a novel attack being leveraged by a surveillance firm operating in the Middle East. This attack is capable of deceiving mobile network operators into revealing the location of cellular subscribers.

Bypassing SS7 Security Protocols

The method centers around circumventing the security measures implemented by carriers to safeguard SS7, or Signaling System 7. SS7 is a crucial suite of protocols utilized by global phone companies to manage the routing of calls and text messages internationally.

A key function of SS7 is enabling carriers to request data regarding the cell tower to which a subscriber’s device is currently connected. This information is typically used for accurate billing, particularly for international calls and messages.

Recent Observations and Targeting

Enea, a cybersecurity firm specializing in protections for mobile carriers, reports observing this new bypass attack being exploited by the unnamed surveillance vendor since late 2024. The purpose was to ascertain the locations of individuals’ phones without their consent.

Cathal Mc Daid, VP of Technology at Enea and co-author of the related blog post, stated to TechCrunch that the vendor targeted a limited number of subscribers. The attack’s effectiveness varied across different mobile carriers.

Location Accuracy and Notification

The bypass technique allows the surveillance vendor to pinpoint a user’s location to the nearest cell tower. In urban environments or areas with high population density, this can narrow the location down to within a few hundred meters.

Enea alerted the affected mobile operator to the exploit but has refrained from disclosing the identity of the surveillance vendor, only confirming its base of operations is in the Middle East.

Growing Trend of Location Exploitation

Mc Daid emphasized that this attack represents a growing trend of malicious actors utilizing such exploits to obtain location data. He suggests that the vendors’ continued development and deployment of these methods indicate their success in certain contexts.

“We anticipate further discoveries and utilization of similar techniques,” Mc Daid added.

The Role of Surveillance Vendors

Surveillance vendors, encompassing spyware developers and providers of large-scale internet traffic analysis, are typically private entities. They primarily serve government clients, conducting intelligence-gathering operations.

Governments often justify the use of spyware and similar technologies as tools against serious criminal activity. However, these tools have also been documented in the targeting of civil society members, including journalists and activists.

Historical Access Methods

Previously, surveillance vendors have gained access to SS7 through various means, including collaboration with local phone operators, misuse of leased “global titles,” or leveraging government connections.

Limited User Defenses

Due to the nature of these attacks occurring at the cellular network level, individual subscribers have limited options for self-defense. Protecting against these exploits primarily falls on the responsibility of telecommunications companies.

Patchwork Security and Global Vulnerabilities

Mobile carriers have been implementing firewalls and other cybersecurity measures to defend against SS7 attacks in recent years. However, the fragmented nature of the global cellular network means that security levels vary significantly, even within the United States.

U.S. Government Awareness

A letter sent to Senator Ron Wyden’s office last year revealed that the U.S. Department of Homeland Security identified several nations – including China, Iran, Israel, and Russia – as having exploited SS7 vulnerabilities to target U.S. subscribers as early as 2017. Saudi Arabia has also been implicated in using SS7 flaws for surveillance of its citizens within the United States.