Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors - The Citizen Lab

The findings expose how suspected commercial surveillance vendors (CSVs) exploit the global telecom interconnect ecosystem, leverage private operator networks, and conduct covert location tracking operations that can persist undetected for years.

SIM Card Exploitation: One campaign sent a malicious SMS containing hidden SIM card commands to extract location information, attempting to turn the device into a covert tracking beacon.

Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate. Despite repeated public reporting, this activity continues unabated and without consequence.

These vulnerabilities are not the result of software bugs or network misconfigurations; rather, they are inherent to global telecommunications design and business practices. The mobile ecosystem comprises over a thousand operators interconnected through roaming agreements and signalling protocols that prioritize efficiency, service availability, and revenue opportunity over security. As a result, a shadowy marketplace of state-backed and commercial espionage actors has emerged, developing and deploying software platforms that weaponize telecommunication networks for global surveillance.

he root of the security problem lies in the foundational signalling protocols themselves. Designed for a trusted community of mobile operators and legitimate third-party service providers, SS7 protocols lack the basic security mechanisms of IP networks, such as authentication and validation to verify the source of signalling messages, integrity checks to ensure that data has not been altered, and encryption to protect its contents.

While most commercial threat groups focus on device implants, there is strong demand by government agencies for “off-the-shelf” telecom surveillance services that use mobile networks to locate and track users, and intercept communications without hacking a target’s phone. These services are often brokered through intermediaries with direct or brokered access to mobile operator or provider networks, allowing surveillance traffic to blend into legitimate roaming operations.