SS7 and – Researchers say surveillance vendors exploited telecom signaling—via SS7, Diameter, and SIM-based tricks—to track people’s locations, highlighting persistent risks for telecom security.
Two separate spying campaigns have been tied to vendors abusing telecom signaling systems to track people’s phone locations, according to researchers detailed in a new investigation.
The core issue is not a single “spy app. ” but the plumbing behind mobile networks—specifically signaling protocols that help carriers route calls. texts. and data.. Misryoum’s focus on the business stakes is simple: when the infrastructure that supports connectivity can be misused. the risk spreads beyond security teams into carriers. vendors. regulators. and ultimately customers.
At the center of the report is how attackers used access to major telecom providers as an entry point into a global ecosystem.. The researchers describe “ghost” companies posing as legitimate cellular operators, then “piggybacking” on their access to query location data.. In practical terms. this means surveillance efforts can hide behind existing network infrastructure rather than building their own systems from scratch—an approach that can scale faster and stay less visible.
One major weakness highlighted is SS7, a long-standing set of protocols used in 2G and 3G networks.. For years. security experts have warned that SS7’s design does not require authentication or encryption. which can leave room for rogue actors to extract location information tied to mobile subscribers.. The business impact is that many networks still rely on inherited infrastructure patterns. and vulnerabilities in legacy components can remain commercially valuable to attackers even as carriers modernize.
Newer networks rely on Diameter, designed for 4G and 5G and intended to address the security gaps of SS7.. But Misryoum’s analysis points to a recurring reality in telecom: “new protocol” does not automatically mean “secure implementation.” The investigation notes that some protections expected in Diameter may not be consistently applied by providers. and attackers may even fall back to exploiting SS7 when newer paths fail.. That fallback capability matters because it turns modernization into a partial fix rather than a full barrier.
The report also ties the campaigns to repeated use of three telecom providers that acted as key “entry and transit points” for signaling within the ecosystem.. Misryoum cannot independently verify the identities or intentions of these operators. but the naming of specific providers—along with the assertion that the surveillance vendors routed their actions through them—underscores why telecom access arrangements and routing permissions sit at the center of risk management.
There is also a corporate and governance angle in how these access relationships operate.. According to the investigation, one campaign involved Israeli operator 019Mobile, while British provider Tango Networks U.K.. and Airtel Jersey—now owned by Sure—were also referenced in the broader picture.. Sure’s leadership stated that it does not lease signaling access for locating or tracking individuals or for intercepting communications content. while also describing monitoring and blocking measures.. Misryoum’s editorial takeaway is that carrier safeguards are only as strong as the enforcement and verification layer behind wholesale or partner access: if a vendor can obtain legitimate routing privileges. it may still be able to repurpose them.
The second campaign described in the report used a different mechanism—one aimed at a specific “high-profile” target.. Instead of relying primarily on signaling protocol flaws. the vendor reportedly sent special SMS messages designed to communicate with a target’s SIM card in a way that could effectively turn the phone into a location-tracking instrument.. Misryoum recognizes this as an exploit category that blurs the line between “network misuse” and “subscriber-level control. ” because it leverages normal carrier-to-SIM messaging flows while altering the commands to produce malicious outcomes.
For business leaders in telecom and security, the most uncomfortable message is scale and detectability.. A researcher involved in the investigation said the campaigns likely represent only a small snapshot of broader activity. and that SIM-based tracking techniques can be difficult to detect—especially when geographically targeted.. That combination—persistence plus stealth—can create a long tail of risk that affects reputational trust. compliance exposure. and the cost of forensic remediation.
Looking ahead, the question Misryoum readers should ask is what changes first: protocol hardening, implementation discipline, or access governance.. The answer affects budgets and timelines.. Carriers may need stronger controls around signaling access. more rigorous partner vetting. and measurable protections that go beyond “we support secure features.” Meanwhile. surveillance abuses also raise regulatory pressure to treat telecom signaling access as a high-risk capability rather than a routine operational detail.
Ultimately, the investigation is a reminder that mobile security is a network-wide responsibility, not a single-product one. When signaling systems can be abused—even imperfectly protected ones—location data can become a commodity, and trust in everyday connectivity becomes the first casualty.
Meta Keystroke Tracking for AI: Legal, but Ethical?