Surveillance companies exploiting telecom system to spy on targets’ locations, research shows

Surveillance vendors are using telecommunications infrastructure to suck up targets’ location data, according to a report released by researchers Thursday.

The report from Citizen Lab, a research institute at the University of Toronto that tracks digital surveillance, says the campaigns exploited a weakness in telecom infrastructure to allow the unnamed vendors to secretly pose as real cellular providers and pinpoint victims’ locations.

One of two campaigns identified by the Citizen Lab worked by sending a text message with malicious hidden SMS commands to targets in an effort to “turn the device into a covert tracking beacon,” the report said.

The other campaign relied on weaknesses in a set of protocols for cellular networks known as Signaling System 7 (SS7). The protocols have long been abused by malicious actors, who exploit the fact that they are the primary way the networks send users’ calls and text messages to their contacts.

SS7 protocols are used primarily in older 3G networks. They are exceptionally vulnerable to attack because SS7 does not verify and authenticate the source of signalling messages and does not use encryption, the report said.

The surveillance vendors also were able to attack Diameter protocols, which are used for newer 4G and 5G networks, according to the report. While Diameter protocols were created to include security protections absent from SS7, many operators have not implemented the safeguards, the report said.

The attack vector

Both campaigns gained access to users’ locations by exploiting the same three telecom networks.

Those mobile networks “repeatedly appear as the surveillance entry and transit points within the telecommunications ecosystem,” the report said. “These networks function as gateways that allow traffic to move through trusted signalling interconnections while granting access to threat actors that hide behind their infrastructure.”

Evidence surfaced by the researchers suggests an Israeli company may be behind the surveillance, Gary Miller, one of the authors of the report, said in an interview. 

“The techniques that were used were specifically designed to obfuscate the source, but in looking at the routing of that traffic — it is routing that is injected into the mobile ecosystem — I could see that the traffic would have taken the path back to Israel,” Miller said.

While the Citizen Lab research is unique for having identified specific examples of attacks, Miller said they are commonplace.

“We're not talking about a few spyware attempts,” Miller said. “These are massive, massive amounts of unauthorized traffic and 90 plus percent of them are being generated by third parties accessing the mobile signaling environment. It's such a huge issue that has not been addressed.”