Security researchers say they caught surveillance companies in the Middle East. They say they can take advantage of a new attack that allows phone operators to disclose the location of cell subscribers.
This attack relies on the security protections that intruders have been implemented to protect intruders from accessing SS7 or signaling system 7. This is a private set of protocols used by global telephone personnel to route calls and text messages for subscribers around the world.
SS7 also allows carriers to request information about the cell tower to which the subscriber's phone is connected. It is usually used to charge exactly when a customer sends a call or text message to someone from abroad.
Researchers at ENEA, a cybersecurity company that provides protection for telephone office people, said this week they observed an unnamed surveillance vendor in late 2024, exploiting a new bypass attack to get people's phone locations without their knowledge.
The VP of Technology Technology Cathal MC Daid, who co-authored the blog post, told TechCrunch that the company observed the surveillance vendor's target as “just a few subscribers” and that the attacks did not work for all phone carriers.
Mc Daid said the bypass attack would allow surveillance vendors to place individuals in the nearest cell tower.
ENEA informed the phone operator that the exploits used had been observed, but refused to name the surveillance vendor, except that it was based in the Middle East.
Mc Daid told TechCrunch that it is part of a growing trend of malicious operators to use this kind of exploit to get people's locations, warning that the vendors behind the use “will not discover them and use them if they're not successful somewhere.”
“We expect more to be discovered and used,” says MC Daid.
Surveillance vendors can include spyware manufacturers and bulk internet traffic providers, but are usually private companies that only government customers work exclusively to carry out intelligence collection operations for individuals. Governments often argue that they use spyware and other exploitative technologies against serious criminals, but the tools are also used to target civil society members, including journalists and activists.
In the past, surveillance vendors have been able to access SS7 through local phone operators, misused leases “global titles” or government ties.
However, due to the nature of these attacks occurring at the cell network level, there is little that telephone subscribers can do to protect against exploitation. Rather, defense against these attacks is largely up to the telecoms.
In recent years, telephone companies have installed firewalls and other cybersecurity protections to protect against SS7 attacks, but the patchwork nature of the global cell network means that not all carriers are as protected as other carriers, including the US.
The US Department of Homeland Security, going back to 2017, described the vulnerability of the SS7 as “exploiting US subscribers,” according to a letter sent to Senator Ron Wyden's office last year. Saudi Arabia is also known to be abused by SS7 flaws to monitor US citizens.