Tracking people via their mobile phones is a standard trope in crime dramas and spy movies. Now, a research team from the Hasso Plattner Institute (HPI) and the University of Toronto has demonstrated that mobile networks are indeed used in practice to locate individuals. Commercial surveillance vendors exploit long-known security vulnerabilities to do so.
“The mobile network is highly opaque and extremely complex,” says Swantje Lange, a PhD student at HPI. Together with security researcher Gary Miller, she published the report “Bad Connection – Uncovering Global Telecom Exploitation by Covert Surveillance Actors” at The Citizen Lab. The research unit at the University of Toronto’s Munk School of Global Affairs & Public Policy investigates threats to human rights in the digital ecosystem.
Renting instead of hacking
Swantje Lange and Gary Miller analyzed firewall data from mobile networks, examining which attacks had been blocked in order to draw conclusions about attack strategies. “We were able to identify two sophisticated surveillance campaigns,” Swantje Lange explains.
The scale of the activity suggests commercial providers rather than individual actors: “In some cases, we observed location-tracking requests that occurred almost simultaneously from networks all over the globe sent within minutes from operators in nine different countries. That is a clear indicator of an operation that exceeds the capabilities of individuals.”
Surveillance companies gain access to mobile networks via signaling infrastructure that connects different mobile network operators. Through this infrastructure, subscriber and location data are exchanged during normal operation—for example, to enable roaming abroad. “The signaling infrastructure is privately managed. Some operators rent out access, known as ‘Global Titles,’” Lange says.
Once inside, no one checks again
“Global Titles” are addresses similar to phone numbers, assigned by national telecommunications regulators. Whoever possesses them can act as a legitimate participant within the mobile network. This is made possible by weaknesses in the protocol standards used to transmit data.
“With the SS7 protocol, which is used in 2G and 3G networks, no authentication is required,” says Lange. While the 4G and 5G standard—the Diameter protocol—does include mechanisms for authentication and encryption, these are often not implemented in practice.
The result: “Surveillance vendors can send signalling queries to determine, for example, which cell tower a phone is currently connected to,” Lange explains. “The targeted network cannot easily distinguish these requests from legitimate ones.”
Invisible text messages
In addition to network-based location queries, the researchers identified another method: invisible text messages that exploit SIM cards directly. Mobile operators normally use special SMS messages to configure device network settings - these messages are processed by an application on the SIM card without the user ever seeing them.
Surveillance vendors exploit this mechanism by embedding commands—for example, to request location data—into such messages. An application on the SIM card executes the code automatically and returns the requested information back to the attacker.
It remains difficult to definitively attribute these activities. However, the technical patterns suggest that the attacks are carried out by commercial surveillance platforms likely used by multiple clients including governments.
At the same time, regulators are beginning to respond. The UK’s communications regulator, for instance, has recently banned the leasing of “Global Titles.”
The full report by Citizen Lab is available here.
