- Citizen Lab uncovered two surveillance vendors exploiting the backbone of global cellular networks to track targets across multiple continents.
- Three telecom providers—019Mobile, Tango Networks UK, and Sure—served as the entry points, with one provider operating from the Channel Islands.
- The vulnerabilities are built into SS7 and Diameter, the signaling protocols that route every call and text worldwide—and they’ve been known for over a decade.
Two unnamed surveillance companies spent years routing themselves through global phone networks to track people’s locations, intercept communications, and surveil high-profile targets across multiple countries. The Citizen Lab published the findings on Thursday, documenting two separate campaigns that exploited the same structural weakness: the signaling system that connects every cellular network on the planet.
The first vendor operated what researchers describe as a “deliberate and well-funded operation with deep integration into the mobile signaling ecosystem.” This actor abused access to three telecom providers—Israeli operator 019Mobile, British provider Tango Networks UK, and Sure, which operates in the Channel Islands—to launch surveillance campaigns spanning several years against targets all over the world. The scale of the operation, using multiple providers and targeting diverse geographies, led researchers to conclude that several different government customers were behind the requests.
The second campaign used a different method: sending special SMS messages designed to communicate directly with a target’s SIM card, without the phone user ever seeing a trace. These SIMjacker-style attacks—typically used by carriers to send maintenance commands—were directed at a single high-profile individual. “I’ve observed thousands of these attacks through the years, so I would say it’s a fairly common exploit that’s difficult to detect,” said Gary Miller, one of the Citizen Lab researchers who investigated the attacks. “However, these attacks appear to be geographically targeted, indicating that actors employing SIMjacker-style attacks likely know the countries and phone numbers of their targets.”
Why SS7 and Diameter Still Fail After 30 Years
The root problem is Signaling System 7, or SS7—a set of telecommunication protocols developed in the 1980s that handles how cellular networks connect to each other and route calls and text messages around the world. SS7 was designed for a world where only trusted telecom operators had access to the network. It has no built-in authentication. Anyone who gains access to the signaling network—whether a legitimate carrier or a surveillance company leasing a connection—can query any subscriber’s location, intercept messages, or redirect calls. Researchers have been warning about this since at least 2014, when Karsten Nohl demonstrated live SS7 attacks at a security conference. The industry response has been largely theoretical.
Diameter, the newer protocol designed for 4G and 5G networks, was supposed to fix SS7’s security gaps. It includes authentication features that SS7 lacks. But as the Citizen Lab report highlights, cell providers do not always implement these security features correctly—or at all. The first surveillance vendor in the report started with SS7 attacks and simply switched to Diameter when those attempts failed, treating the newer protocol as a fallback rather than a barrier. The upgrade path from 2G to 5G, it turns out, preserved the same trust model that made the original network exploitable.
Three telecom providers served as the surveillance entry and transit points. 019Mobile, an Israeli operator, was used in multiple surveillance attempts. Tango Networks UK was used for surveillance activity over several years. Sure, based in the Channel Islands, completed the trio. Sure CEO Alistair Beak told TechCrunch that the company “does not lease access to signalling directly or knowingly to organisations for the purposes of locating or tracking individuals, or for intercepting communications content.” Gil Nagar, head of IT and security at 019Mobile, said the company “cannot confirm” that the infrastructure identified by Citizen Lab belongs to them. Tango Networks did not respond to a request for comment.
The Surveillance Industry’s Infrastructure Problem
The Citizen Lab findings echo an earlier investigation by Lighthouse Reports, which documented how Swiss telecom entrepreneur Andreas Fink built a surveillance apparatus operating over 100 global titles—access points that function like phone numbers within the signaling network—and made them available to governments and intelligence companies, including Israel’s Rayzone Group. Experts in the telecom security field described those activities as “a clear and present danger to anyone with a phone.” The common thread is that the global signaling network operates on trust: any entity with a valid access point can query subscriber data across any connected network, anywhere in the world.
The math is sobering. Miller made clear that these two campaigns represent a fraction of the total attack surface: “We only focused on two surveillance campaigns in a universe of millions of attacks across the globe.” The the Electronic Frontier Foundation petitioned the FCC about SS7 vulnerabilities as far back as 2016, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance to telecom operators on mitigating signaling-based attacks. But enforcement remains scattered, and the global nature of the network means that a single poorly secured provider in one jurisdiction can expose subscribers worldwide.
The Federal Communications Commission opened an investigation into SS7 vulnerabilities in U.S. telecom networks. The EU’s cybersecurity agency ENISA has issued similar warnings. Yet the fundamental architecture remains unchanged—just as mobile location tracking persists despite public outcry: a network designed for trusted operators now serves a surveillance industry that leases access through front companies and intermediary providers. As Frontierbeat reported, even encrypted messaging apps like Signal can be compromised through device-level extraction—meaning the signaling network is just one of several paths to a target’s communications.
The Citizen Lab report is available at citizenlab.ca.
