Researchers Expose Commercial Surveillance Tools Exploiting Mobile Network Vulnerabilities in Real-World Attacks

Summary

Researchers at the University of Toronto's Citizen Lab have documented the first-ever confirmed link between real-world surveillance attack traffic and mobile operator signalling infrastructure. Two unknown threat actors deployed commercial surveillance tools to track targets by mimicking mobile phone operators' identities and exploiting long-known vulnerabilities in SS7 and Diameter protocols used in 3G, 4G, and 5G networks. The attackers leveraged operator infrastructure from at least 17 countries across Cambodia, China, Israel, Italy, Poland, Sweden, Uganda, and others to hide their activities and steer traffic through covert network pathways.

According to the Citizen Lab report, the attackers operated as "ghost operators" within the global telecom ecosystem, blending their malicious signalling traffic into the massive volume of legitimate international roaming signals. Despite repeated public warnings about these vulnerabilities, the campaigns continue unabated without regulatory consequences. The researchers were unable to definitively identify the commercial surveillance vendors or threat actors responsible, highlighting the opacity of telecommunications signalling protocols that allows bad actors to operate with impunity.

• Commercial surveillance vendors exploit the opaque nature of telecom signalling to operate as "ghost operators" within networks, making oversight and accountability nearly impossible