Surveillance vendors abused access to telcos to track people’s phone locations, researchers say.

Security researchers have uncovered two separate espionage campaigns that are exploiting well-known weaknesses in the global financial system to track people’s locations. The researchers say the two campaigns are probably a small snapshot of what they believe is a more common trend among marketers who search for mobile phones around the world.

On Thursday, Citizen Lab, a digital rights organization with more than a decade of reporting on censorship abuses, published a new report describing two campaigns that have just been announced. The third-party vendors, which Citizen Lab did not name, operated as “ghost” companies that pretended to be legitimate cellular providers, and blocked their access to the network to monitor their data.

The findings highlight the continued use of well-known flaws in the technology that powers mobile phone networks around the world.

One of them is the vulnerability of Signaling System 7, or SS7, a set of 2G and 3G protocols that for many years have been the backbone of how mobile networks communicate with each other and call subscribers and communications around the world. Researchers are experts they have warned long ago that governments and manufacturers of surveillance technologies can take advantage of this vulnerability in SS7 to identify people’s phone calls, since SS7 does not require authentication or encryption, leaving the door open for fraudsters to misuse it.

The new protocol, Diameter, designed for the new 4G and 5G connections, is supposed to replace SS7 and includes the existing security needs. But as Citizen Lab highlights in this report, there are ways to use Diameter, since cellular providers do not use the new security. In some cases, attackers can revert to using the old SS7 protocol.

The two espionage campaigns have one thing in common: Both exploited access to three telephones that repeatedly acted “as observation points and checkpoints within the communications environment.” This finding gave marketers and their government clients the ability to “hide behind their backs,” as the researchers described it.

According to the report, the first is the Israeli operator 019Mobile, which investigators said was used in several experiments. British agent Tango Networks UK was also used for surveillance over several years, the investigators say.

A third mobile operator, Airtel Jersey, operating on the Channel Island of Jersey is now owned by Sure, the company whose network it used to be. linked to previous monitoring campaigns.

Sure CEO Alistair Beak told TechCrunch that the company “does not directly or indirectly lend signature capabilities to organizations to locate or track individuals, or block communications.”

“True acknowledges that digital services can be misused, so we take several measures to reduce this risk. Zedi has implemented several measures to prevent misuse of digital services, including monitoring and blocking inappropriate signals,” read Beak’s statement. “Any evidence or reasonable complaint regarding the misuse of Sure’s network will result in the service being suspended immediately and, if malicious or inappropriate activities are confirmed after investigation, permanent termination.”

019Mobile and Tango Networks did not respond to requests for comment.

Investigators say the ‘super’ people are after them

According to Citizen Lab, the first vendor to manage espionage operations spanning several years against various targets around the world, and using the devices of various mobile companies. This led investigators to suggest that different government clients were responsible for different campaigns.

“This evidence suggests a deliberate and well-paid occupation with deep integration into the mobile display ecosystem,” the researchers wrote.

Gary Miller, one of the researchers who conducted the investigation, told TechCrunch that some of the information points to an “Israeli commercial provider with unique telecom capabilities,” but did not specify who the investigation was. Several Israeli companies are known to offer similar services, such as Circles (which was later acquired by spyware developer NSO Group), Cognyte, and Rayzone.

According to Citizen Lab, the first campaign relied on trying to exploit bugs in SS7, switching to using Diameter if those efforts failed.

The second spy operation used different methods. In this case, one of the vendors behind the background check – Citizen Lab is not naming it, either – relied on sending a special type of SMS message to a special “high-level” target, as the researchers explained.

These are text messages designed to communicate directly with the target SIM card, without showing it to the user. In most cases, these messages are used by mobile providers to send innocuous commands to subscribers’ SIM cards that are used to keep the device connected to their network. But the seller controlled it and instead sent commands that turned the intended phone into a tracking device, according to the investigators. Such attacks were called SIMjacker and mobile cybersecurity company Enea in 2019.

“I’ve seen thousands of these attacks over the years, so I’d say they’re very common and difficult to detect,” Miller said.

Miller made it clear that the two campaigns are just tips. “We only looked at two global monitoring campaigns for millions of attacks around the world,” he said.