Surveillance vendors caught abusing access to telcos to track people’s phone locations, researchers say

Security researchers have uncovered two separate espionage campaigns that are abusing well-known vulnerabilities in the global telecommunications infrastructure to track people’s locations. Researchers say these two campaigns are likely just a small snapshot of a broader exploitation by surveillance vendors seeking access to global phone networks.

On Thursday, Citizen Lab, a digital rights organization with more than a decade of experience exposing surveillance abuses, published a new report detailing two newly identified campaigns. The surveillance vendors behind them, which Citizen Lab did not name, operated as “ghost” companies that pretended to be legitimate cellular providers, and kept their access to those networks secret to view their targets’ location data.

The new findings reveal the continued exploitation of known flaws in the technologies underpinning global phone networks.

One of them is the vulnerability of Signaling System 7, or SS7, a set of protocols for 2G and 3G networks that for years has been the backbone of how cellular networks connect to each other and route calls and text messages to customers around the world. Researchers and experts have long warned that governments and surveillance technology manufacturers could exploit vulnerabilities in SS7 to geolocate individuals’ cell phones, because SS7 requires neither authentication nor encryption, leaving the door open for rogue operators to misuse it.

The new protocol, Diameter, designed for the new 4G and 5G communications, is scheduled to replace SS7 and includes security features lacking in its predecessor. But as Citizen Lab points out in this report, there are still ways to exploit Diameter, because cell providers don’t always implement new security. In some cases, attackers can still exploit the older SS7 protocol.

Both espionage campaigns have at least one thing in common: both abused access to three specific telecommunications providers that repeatedly “acted as surveillance entry and transit points within the telecommunications ecosystem.” As the researchers explained, this access gave the surveillance vendors behind the campaigns and their government customers the ability to “hide behind their own infrastructure.”

According to the report, the first is Israeli operator 019Mobile, which researchers said was used in several surveillance efforts. Researchers say British provider Tango Networks UK was also used for surveillance activity for several years.

A third cellphone provider, Airtel Jersey, an operator on the Channel Island of Jersey, is now owned by Sure, a company whose networks have been linked to prior surveillance campaigns.

Shure CEO Alistair Beeck told TechCrunch that the company “does not directly or knowingly lease access to signaling to organizations for the purpose of locating or tracking individuals, or intercepting communications content.”

“Sure recognizes that digital services can be abused, which is why we take a number of steps to mitigate this risk. Sure has implemented a number of safeguards to prevent misuse of signaling services, including monitoring and preventing inappropriate signaling,” Beeck’s statement said. “Any evidence or legitimate complaint related to misuse of Sure’s network results in immediate suspension of service and, where malicious or inappropriate activity is confirmed after investigation, permanent termination.”

019Mobile and Tango Networks did not respond to requests for comment.

Researchers say ‘high profile’ people were targeted

According to Citizen Lab, the first surveillance vendor facilitated spying campaigns for several years against various targets around the world, and used the infrastructure of several different cellphone providers. This led researchers to conclude that different government customers of the surveillance vendor were behind the different campaigns.

“The evidence demonstrates a deliberate and well-funded operation with deep integration into the mobile signaling ecosystem,” the researchers wrote.

Gary Miller, one of the researchers investigating these attacks, told TechCrunch that some clues point to an “Israel-based commercial geo-intelligence provider with specialized telecommunications capabilities,” but did not name the surveillance provider. Several Israeli companies are known to provide similar services, such as Circles (later acquired by spyware maker NSO Group), Cognite and Razon.

According to Citizen Lab, the first campaign relied on trying to abuse flaws in SS7, and then switched to exploiting Diameter when those attempts failed.

Different methods were used in other espionage operations. In this case, the other surveillance vendor behind it — Citizen Lab isn’t named, either — relied on sending a particular type of SMS message to a specific “high-profile” target, as the researchers explained.

These are text-based messages designed to communicate directly with the target’s SIM card, without showing any trace of them to the user. Under normal circumstances, these messages are used by cellphone providers to send innocuous commands to their customers’ SIM cards used to keep the device connected to their network. But according to researchers, the surveillance vendor instead sent commands that turned the target’s phone into a location tracking device. This type of attack was dubbed SIMjacker by mobile cybersecurity company Enea in 2019.

“I’ve seen thousands of attacks like this over the years, so I would say this is a fairly common exploit that is difficult to detect,” Miller said. “However, these attacks appear to be geographically targeted, indicating that actors employing SimJacker-style attacks likely know the countries and networks that are most vulnerable to them.”

Miller clarified that these two campaigns are just the tip of the iceberg. “We focused on only two surveillance operations out of millions of attacks worldwide,” he said.