Researchers have identified surveillance campaigns that exploited vulnerabilities in mobile phone network signaling protocols, marking the first documented instance of linking commercial surveillance to the core infrastructure of telecommunications operators. The campaigns, conducted by unidentified entities, utilized custom tools to mimic legitimate operators and manipulate signaling pathways to conceal their activities.
The findings, detailed in a new report from the University of Toronto’s Citizen Lab, underscore a critical systemic issue where global telecommunications infrastructure, designed for international connectivity, is being subverted for covert surveillance. These operations are proving difficult to monitor, attribute, and regulate effectively, according to the research.
Exploiting Telecom Infrastructure for Surveillance
The investigation revealed that attackers impersonated mobile phone operators, employing customized surveillance tools to achieve their objectives. By manipulating signaling protocols such as SS7 and Diameter, they rerouted traffic and masked their operations. The research highlighted the pervasive nature of this exploitation, noting the use of identifiers and infrastructure associated with operators in numerous countries, including Cambodia, China, Israel, Italy, and the United Kingdom, among others.
These malicious actors leveraged the inherent trust built into the global telecommunications system. The SS7 and Diameter protocols, essential for 3G and 4G/5G networks respectively, were found to be susceptible. This aligns with recent regulatory attention, as the Federal Communications Commission (FCC) initiated a probe into the vulnerabilities of both SS7 and Diameter protocols earlier this year. Congress has also called for reports on these telecommunications vulnerabilities.
Challenges in Identification and Attribution
Pinpointing the exact vendors behind these surveillance operations or the ultimate clients remains a significant challenge. According to Ron Deibert, director of Citizen Lab, the opaque nature of telecommunications signaling protocols allows these vendors to operate discreetly. Their activities often blend into the massive volume of legitimate network traffic, making them difficult to detect and identify as “ghost operators” within the global telecom ecosystem.
In response to inquiries, some of the implicated operators have denied direct involvement. Israel-based 019 Mobile stated that the network nodes referenced in the report did not correspond to their infrastructure. Similarly, Sure indicated that they do not knowingly lease signaling access for tracking purposes and have implemented preventative measures against misuse.
Citizen Lab’s report acknowledges that direct operator involvement isn’t always the case. The report suggests that access to signaling ecosystems can be obtained through third-party providers, commercial leasing arrangements, or other intermediaries who enable malicious actors to send messages using legitimate operator identifiers.
The findings raise broader concerns for regulators, policymakers, and the telecommunications industry regarding accountability and oversight. The continued exploitation of these fundamental network protocols without apparent consequence highlights a need for enhanced security measures and greater transparency within the global telecom sector. Future developments will likely focus on regulatory responses and the telecom industry’s efforts to secure its signaling infrastructure against such sophisticated threats.