Security researchers say they have caught a surveillance company in the Middle East exploiting a new attack capable of tricking phone operators into disclosing a cell subscriber’s location.
The attack relies on bypassing security protections that carriers have put in place to protect intruders from accessing SS7, or Signaling System 7, a private set of protocols used by the global phone carriers to route subscribers’ calls and text messages around the world.
SS7 also allows the carriers to request information about which cell tower a subscriber’s phone is connected to, typically used for accurately billing customers when they call or text someone from overseas, for example.
Researchers at Enea, a cybersecurity company that provides protections for phone carriers, said this week that they have observed the unnamed surveillance vendor exploiting the new bypass attack as far back as late 2024 to obtain the locations of people’s phones without their knowledge.
Enea VP of Technology Cathal Mc Daid, who co-authored the blog post, told TechCrunch that the company observed the surveillance vendor target “just a few subscribers” and that the attack did not work against all phone carriers.
Mc Daid said that the bypass attack allows the surveillance vendor to locate an individual to the nearest cell tower, which in urban or densely populated areas could be narrowed to a few hundred meters.
Enea notified the phone operator it observed the exploit being used in, but declined to name the surveillance vendor, except to note it was based in the Middle East.
Mc Daid told TechCrunch that the attack was part of an increasing trend in malicious operators using these kinds of exploits to obtain a person’s location, warning that the vendors behind their use “would not be discovering and using them if they were not successful somewhere.”
“We anticipate that more will be found and used,” Mc Daid said.
Surveillance vendors, which can include spyware makers and providers of bulk internet traffic, are private companies that typically work exclusively for government customers to conduct intelligence-gathering operations against individuals. Governments often claim to use spyware and other exploitative technologies against serious criminals, but the tools have also been used to target members of civil society, including journalists and activists.
In the past, surveillance vendors have gained access to SS7 by way of a local phone operator, a misused leased “global title,” or through a government connection.
But due to the nature of these attacks happening at the cell network level, there is little that phone subscribers can do to defend against exploitation. Rather, defending against these attacks rests largely on the telecom companies.
In recent years, phone companies have installed firewalls and other cybersecurity protections to defend against SS7 attacks, but the patchwork nature of the global cell network means that not all carriers are as protected as others, including in the United States.
According to a letter sent to Sen. Ron Wyden’s office last year, the U.S. Department of Homeland Security said as far back as 2017 that several countries, notably China, Iran, Israel, and Russia, have used vulnerabilities in SS7 to “exploit U.S. subscribers.” Saudi Arabia has also been found abusing flaws in SS7 to conduct surveillance of its citizens in the United States.