Citizen Lab exposed two ghost-company surveillance vendors abusing SS7 and SIMjacker exploits in global cellular networks to geolocate high-profile targets.
Key Takeaways
Three telcos served as recurring entry and transit points for both campaigns: 019Mobile (Israel), Tango Networks U.K., and Airtel Jersey (now Sure).
SS7, the 2G/3G backbone, has no authentication or encryption; Diameter (4G/5G replacement) is still exploitable when carriers skip implementing its new protections.
First campaign chained SS7 exploits with Diameter fallback; second used SIMjacker silent SMS to turn the target’s SIM card into a passive location tracker.
Researcher Gary Miller ties campaign one to an Israeli commercial geo-intelligence vendor; Circles/NSO Group, Cognyte, and Rayzone are named as known analogues in the space.
Miller calls these two campaigns “the tip of the iceberg” in what he estimates is a universe of millions of global attacks.
Hacker News Comment Review
Commenters flagged that 5G offers no protection: backward compatibility preserves SS7 downgrade paths, making a data-only SIM combined with internet-based voice the only effective mitigation.
Real-world abuse runs far beyond state actors: telco insiders stalking individuals and a Russian black market for location data were both cited as evidence the threat is diffuse and structural.
LOVEINT cases – NSA personnel using classified surveillance infrastructure against personal targets – were raised as proof that insider misuse is not an edge case but a predictable outcome of concentrated access.
Notable Comments
@aetherspawn: Stalker ex with telco access tracked target across new SIM cards and new phones; police dismissed every report as irrational.
