Eilmeldung
DEWM-Achtelfinale: Belgien gleicht gegen die USA aus und geht erneut in FührungFRCoupe du Monde 2026 : L'Espagne élimine le Portugal, la Belgique bat les USA dans un climat tenduDEFrau in Dortmund lebensgefährlich mit Messer attackiertARالدفاعات الروسية تسقط 9 طائرات مسيرة أوكرانية فوق موسكوCNHong Kong Issues Amber Rainstorm Warning for Yuen Long Amid Severe DownpoursCN印太戰略智庫執行長矢板明夫在台中演講時遭中國籍男子揮拳攻擊RUМэр Москвы Собянин сообщил об уничтожении трех БПЛА, летевших на столицуCN广西55条河流超警 洪水红色预警升级发布INPreliminary Hearing Begins for Charlie Kirk Murder Accused Tyler RobinsonCN蘇志燮新劇《金特務》收視破21.6% 網漫舊爭議再掀波瀾DEWM-Achtelfinale: Belgien gleicht gegen die USA aus und geht erneut in FührungFRCoupe du Monde 2026 : L'Espagne élimine le Portugal, la Belgique bat les USA dans un climat tenduDEFrau in Dortmund lebensgefährlich mit Messer attackiertARالدفاعات الروسية تسقط 9 طائرات مسيرة أوكرانية فوق موسكوCNHong Kong Issues Amber Rainstorm Warning for Yuen Long Amid Severe DownpoursCN印太戰略智庫執行長矢板明夫在台中演講時遭中國籍男子揮拳攻擊RUМэр Москвы Собянин сообщил об уничтожении трех БПЛА, летевших на столицуCN广西55条河流超警 洪水红色预警升级发布INPreliminary Hearing Begins for Charlie Kirk Murder Accused Tyler RobinsonCN蘇志燮新劇《金特務》收視破21.6% 網漫舊爭議再掀波瀾
Newsgather
BackSecurity Researchers Uncover Two Spying Campaigns Exploiting Global Telecom Infrastructure
Security Researchers Uncover Two Spying Campaigns Exploiting Global Telecom Infrastructure
In Entwicklung
TechCrunch23.04.2026Technik3 dk okumaUnited States

Security Researchers Uncover Two Spying Campaigns Exploiting Global Telecom Infrastructure

Citizen Lab report reveals surveillance vendors abusing SS7 and Diameter protocol flaws to track cell phone locations

Auf einen Blick

  • Security researchers at Citizen Lab have identified two separate spying campaigns exploiting vulnerabilities in global telecommunications infrastructure to track people's locations.
  • The campaigns abused SS7 and Diameter protocols through three telecom providers—019Mobile, Tango Networks U.K., and Airtel Jersey—acting as surveillance entry points.
  • One campaign used SIMjacker attacks to turn targets' phones into tracking devices.

KI-generierte Zusammenfassung

Warum es wichtig ist

Citizen Lab has spent more than a decade exposing surveillance abuses. SS7 vulnerabilities have been publicly known for years, with researchers warning that governments and surveillance tech makers can exploit them to geolocate cell phones. Diameter was designed to replace SS7 with better security but implementation gaps remain.

Schriftgröße

Security researchers have uncovered two separate spying campaigns that are abusing well-known weaknesses in the global telecoms infrastructure to track people's locations. The researchers say these two campaigns are likely a small snapshot of what they believe to be widespread exploitation of surveillance vendors seeking access to global phone networks. On Thursday, the Citizen Lab, a digital rights organization with more than a decade of experience exposing surveillance abuses, published a new report detailing the two newly identified campaigns. The surveillance vendors behind them, which Citizen Lab did not name, operated as "ghost" companies that pretended to be legitimate cellular providers, and would piggyback their access to those networks to look up the location data of their targets. The new findings reveal continued exploitation of known flaws in the technologies that underpin the global phone networks. One of them is the insecurity of Signaling System 7, or SS7, a set of protocols for 2G and 3G networks that for years has been the backbone of how cellular networks connect to each other and route subscribers' calls and text messages around the world. Researchers and experts have long warned that governments and surveillance tech makers can exploit vulnerabilities in SS7 to geolocate individuals' cell phones, as SS7 does not require authentication nor encryption, leaving the door open for rogue operators to abuse it. The newer protocol, Diameter, designed for newer 4G and 5G communications, is supposed to replace SS7 and includes the lacking security features of its predecessor. But as the Citizen Lab highlights in this report, there are still ways to exploit Diameter, as cell providers do not always implement the new protections. In some cases, attackers can still fall back to exploiting the older SS7 protocol. The two spy campaigns have at least one thing in common: Both abused access to three specific telecom providers that repeatedly acted "as the surveillance entry and transit points within the telecommunications ecosystem." This access gave the surveillance vendors and their government customers behind the campaigns the ability to "hide behind their infrastructure," as the researchers explained. According to the report, the first one is Israeli operator 019Mobile, which researchers said was used in several surveillance attempts. British provider Tango Networks U.K. was also used for surveillance activity over several years, the researchers say. The third cellphone provider, Airtel Jersey, an operator on the Channel Island of Jersey now owned by Sure, a company whose networks have been linked to prior surveillance campaigns. Sure CEO Alistair Beak told TechCrunch that the company "does not lease access to signalling directly or knowingly to organisations for the purposes of locating or tracking individuals, or for intercepting communications content." "Sure acknowledges that digital services can be misused, which is why we take a number of steps to mitigate this risk. Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling," read Beak's statement. "Any evidence or valid complaint relating to the misuse of Sure's network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated." 019Mobile and Tango Networks did not respond to a request for comment. Researchers say 'high profile' people targeted According to the Citizen Lab, the first surveillance vendor facilitated spying campaigns spanning several years against different targets all over the world, and using the infrastructure of several different cellphone providers. This led researchers to conclude that different government customers of the surveillance vendor were behind the various campaigns. "The evidence shows a deliberate and well-funded operation with deep integration into the mobile signaling ecosystem," the researchers wrote. Gary Miller, one of the researchers who investigated these attacks, told TechCrunch that some clues point to an "Israeli-based commercial geo-intelligence provider with specialized telecom capabilities," but did not name the surveillance provider. Several Israeli companies are known to offer similar services, such as Circles (later acquired by spyware maker NSO Group), Cognyte, and Rayzone. According to the Citizen Lab, the first campaign relied on trying to abuse flaws in SS7, and then switching to exploiting Diameter if those attempts failed. The second spy campaign used different methods. In this case, the other surveillance vendor behind it — Citizen Lab is not naming, either — relied on sending a special type of SMS message to one specific "high-profile" target, as the researchers explained. These are text-based messages designed to communicate directly with the target's SIM card, without showing any trace of them to the user. Under normal circumstances, these messages are used by cellphone providers to send innocuous commands to their subscribers' SIM cards used for keeping a device connected to their network. But the surveillance vendor instead sent commands that essentially turned the target's phone into a location tracking device, according to the researchers. This type of attack was dubbed SIMjacker by mobile cybersecurity company Enea in 2019. "I've observed thousands of these attacks through the years, so I would say it's a fairly common exploit that's difficult to detect," said Miller. "However, these attacks appear to be geographically-targeted, indicating that actors employing SIMjacker-style attacks likely know the countries and networks most vulnerable to them." Miller made it clear that these two campaigns are just the tip of the iceberg. "We only focused on two surveillance campaigns in a universe of millions of attacks across the globe," he said.

Worauf zu achten ist

KI-Ausblick — Möglichkeiten, keine Fakten

  • More surveillance campaigns exploiting telecom vulnerabilities will be discovered

    Sehr wahrscheinlich · Innerhalb von Monaten

  • Telecom providers will face increased scrutiny and pressure to secure signaling infrastructure

    Wahrscheinlich · Innerhalb von Monaten

Offene Fragen

  • Which specific government customers were behind the surveillance campaigns?
  • How many targets were affected overall?
  • What specific protective measures has Sure implemented?

Verwandte Themen

This article was originally published by TechCrunch.

Ähnliche Meldungen

Mehr zu diesem Themacitizen lab