A Landmark Discovery in Telecom Surveillance Research
Researchers at the University of Toronto's Citizen Lab have published findings they describe as the first-ever linking of "real-world attack traffic to mobile operator signalling infrastructure." Two unidentified parties conducted surveillance campaigns using commercial spyware tools, exploiting well-documented vulnerabilities in global mobile phone networks to track targets — and doing so in ways that are deliberately difficult to detect, attribute, or regulate.
The report, released Thursday and authored by Gary Miller and Swantje Lange, outlines how the attackers impersonated legitimate mobile network operators using customized surveillance tools, manipulated signaling protocols, and rerouted traffic through specific network pathways to obscure their activities.
The Core Problem: A Broken Trust Model
The Citizen Lab report frames the surveillance operations as symptomatic of a deeper, structural flaw in how global telecommunications were designed. As the report states:
"Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate."
Miller and Lange were direct in their assessment of the industry's failure to respond: "Despite repeated public reporting, this activity continues unabated and without consequence." They also raised broader policy concerns, writing that "the continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security."
How the Attacks Were Carried Out
The surveillance campaigns exploited two signaling protocols that underpin how mobile networks communicate across borders:
- SS7 (Signaling System No. 7): The legacy protocol used predominantly in 3G networks, long known to be riddled with security weaknesses.
- Diameter: The protocol associated with 4G networks and most 5G implementations, which was intended to be more secure than SS7 but has proven to carry its own vulnerabilities.
Attackers shifted between both protocols during the campaigns. In 2024, the Federal Communications Commission opened a formal probe into vulnerabilities in both SS7 and Diameter. Additionally, Senator Ron Wyden (D-Ore.) has called on the Cybersecurity and Infrastructure Security Agency to produce a report specifically addressing telecommunications vulnerabilities rooted in these two protocols.
The attackers leveraged identifiers and infrastructure associated with mobile operators across a wide range of countries, including networks based in Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda, and the United Kingdom.
'Ghost Operators' Inside the Global Telecom Ecosystem
Despite the scope of the findings, identifying the specific commercial surveillance vendors behind the campaigns — or determining who commissioned them — remained out of reach for the researchers. Ron Deibert, director of Citizen Lab, elaborated on this challenge in his newsletter:
"The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are. Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are 'ghost operators' within the global telecom ecosystem."
This anonymity is central to why such campaigns persist. Malicious signaling traffic is effectively camouflaged within the enormous volume of legitimate roaming messages that flow between operators every day.
Operator Responses and Caveats
Citizen Lab's report identified several operators whose infrastructure appeared in connection with the attacks, though the researchers were careful to note that operator involvement is not automatically implied. The report states: "In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks."
Among the operators named, 019 Mobile, an Israel-based carrier, responded to say it did not recognize the hostnames referenced in the report as belonging to its network nodes, and could not attribute the signaling activity to infrastructure it operates.
A second operator, Sure, told TechCrunch that it does not knowingly lease signaling access to organizations using it for individual tracking, and that it has implemented preventative measures against such misuse. Neither Sure, 019 Mobile, nor a third operator, Tango Networks UK, responded to requests for comment from CyberScoop.
Why This Matters for Regulators and the Industry
The Citizen Lab findings arrive at a time of growing scrutiny over commercial surveillance vendors and the infrastructure they exploit. The vulnerabilities at issue — SS7 and Diameter — are not new. Security researchers, journalists, and advocacy groups have flagged these flaws for years, and yet meaningful global reform has remained elusive.
What makes the Thursday report significant is not just what it found, but what it proved: that commercial spyware operators are actively and successfully using telecom signaling infrastructure as a vector for targeted surveillance, in real-world conditions, against real people. The question now facing national regulators, policymakers, and telecommunications companies is whether that proof will finally translate into accountability and enforceable oversight — or whether the surveillance will simply continue unabated, as it has before.
Source: CyberScoop