Surveillance Vendor Exposed for Exploiting New SS7 Attack: Uncovered Phone Location Tracking Scandal
In a recent disclosure, cybersecurity researchers at Enea have exposed a surveillance company based in the Middle East for exploiting a novel attack method that bypasses security measures implemented by global phone carriers to access and disclose the location of cell subscribers.
The attack strategy circumvents the protective barriers carriers have put in place against unauthorized access to SS7, or Signaling System 7 – a private network of protocols utilized by international phone operators for routing calls and text messages globally. SS7 also enables carriers to request details about the cell tower with which a subscriber’s device is connected, typically used for precise billing purposes such as overseas calls or texts.
Researchers at Enea, a leading cybersecurity firm offering protections to phone operators, reported this week that they have traced the unnamed surveillance vendor using this bypass attack as early as late 2024 to acquire the locations of targeted phones without consent. Cathal Mc Daid, VP of Technology at Enea and co-author of the blog post, informed that the observed targeting was limited to a few subscribers, and the attack did not affect all phone carriers.
Mc Daid explained that the bypass attack permits the surveillance vendor to pinpoint an individual to the nearest cell tower, which in densely populated areas can be narrowed to a few hundred meters. Although the specific surveillance vendor remains unnamed, Enea notified the affected phone operator and noted its geographical location in the Middle East.
Mc Daid warned that this type of attack represents an escalating trend among malicious operators seeking to obtain a person’s location, stating that the vendors responsible for these exploits “would not be discovering and using them if they were not successful somewhere.” He emphasized that more similar attacks are anticipated.
Surveillance vendors, which may include spyware manufacturers and providers of bulk internet traffic, are private companies primarily serving government clients to execute intelligence-gathering operations against individuals. Governments often claim to utilize such tools against serious criminals but have also been implicated in targeting journalists and activists.
In the past, surveillance vendors have gained access to SS7 through various means, including a local phone operator, misused leased “global titles,” or via government connections. Given that these attacks occur at the cell network level, phone subscribers have limited defenses against such exploitation. Instead, protection primarily relies on telecom companies implementing robust firewalls and cybersecurity measures to guard against SS7 threats.
In recent years, phone operators have invested in installing firewalls and other security protections to safeguard against SS7 attacks; however, the fragmented nature of the global cell network implies that not all carriers are equally secure, even in developed countries like the United States. According to a letter sent to Sen. Ron Wyden’s office last year, the U.S. Department of Homeland Security acknowledged as early as 2017 that several nations, including China, Iran, Israel, and Russia, have exploited vulnerabilities in SS7 to surveil U.S. subscribers. Saudi Arabia has also been found misusing flaws in SS7 for domestic surveillance of citizens residing in the United States.
