By ByteBot
Citizen Lab researchers at the University of Toronto published “Bad Connection” on April 23, 2026, exposing two sophisticated commercial surveillance campaigns that exploit global telecom infrastructure. Covert surveillance vendors, operating as “ghost companies” pretending to be legitimate cellular providers, have been tracking phone locations worldwide by abusing SS7 and Diameter signaling protocols. The investigation links real-world attack traffic to mobile operator infrastructure for the first time, revealing how suspected Israeli-based surveillance firms sell location tracking to government intelligence agencies.
How the Attacks Work
The surveillance campaigns use multi-vector attacks combining 3G (SS7) and 4G (Diameter) signaling protocols. The first campaign exploits the “combined attach” feature that allows devices to register on both 3G and 4G networks simultaneously, querying for Cell ID, Location Area Code, and Mobile Network Code to triangulate location. The second campaign is more invasive: it sends malicious SMS messages containing hidden SIM card commands that turn devices into “covert tracking beacons,” extracting location data without user knowledge.
Both campaigns manipulate signaling identifiers to obscure the true origin of attack traffic. The technical specifics are alarming—SS7 commands like locationInformation and currentLocation, combined with Diameter commands such as RAT-Type Requested, give attackers precise location data. This isn’t theoretical. Citizen Lab traced operator identifiers reused across multiple years, indicating long-running surveillance operations. Over 1 billion mobile users are potentially exposed to these SIM-based attacks, a vulnerability known as Simjacker that operators have failed to patch.
Who’s Behind It
Citizen Lab identified three mobile networks functioning as repeated surveillance entry points: 019Mobile in Israel, Airtel Jersey in the Channel Islands, and Tango Networks UK. Evidence points to suspected Israeli-based commercial geo-intelligence providers similar to known vendors Circles (acquired by NSO Group), Cognyte, and Rayzone. These “ghost companies” spoof operator identities and exploit commercial leasing arrangements to access telecom infrastructure without adequate oversight.
Government intelligence agencies are the primary customers for these surveillance-as-a-service operations. The investigation, presented at RSA Conference 2026, documented attack infrastructure spanning 18 countries including the UK, Israel, China, Thailand, Sweden, and Cambodia. Mobile signaling security provider Cellusys validated that attackers were targeting specific IMSI phone identifiers—this isn’t mass data collection, it’s precision tracking.
Why Attacks Succeed: Industry Negligence
Here’s the uncomfortable truth: despite SS7 vulnerabilities being publicly known for years, most telecom operators have failed to implement basic security protections. Security researchers found that operators “continue to rely on the same peer-to-peer trust model that plagues SS7” even for newer Diameter (4G) protocols. While 84% of operators monitor SS7 traffic, monitoring alone doesn’t prevent attacks. Unified signaling firewalls capable of blocking unauthorized requests remain largely undeployed.
The Federal Communications Commission launched an investigation into “grave weaknesses” in phone network infrastructure, but fixes require industry-wide cooperation that has yet to materialize. Experts warn that “SS7 vulnerabilities will continue to be exploited well into 2026 and beyond.” The gap between IR.21 security standards and actual implementations reveals a systemic failure to prioritize user privacy over operational convenience.
Everyone’s Vulnerable
This isn’t just about high-profile targets. Every mobile user is potentially vulnerable to this surveillance. The Citizen Lab investigation tracked a “VVIP” company executive, but the techniques work against anyone with a mobile phone. Privacy advocates warn this contributes to an “ever-expanding infrastructure of private sector surveillance,” with governments circumventing warrant requirements by purchasing data from commercial vendors.
Jeramie D. Scott, senior counsel at the Electronic Privacy Information Center, argues that government data purchases without warrants are “hurtling us into a dystopian surveillance society.” Senators Ron Wyden and Mike Lee introduced the Government Surveillance Reform Act requiring warrants before federal agencies buy personal data, but the “data broker loophole” remains open. Until Congress acts, commercial surveillance vendors operate in a regulatory gray zone.
What Developers and Users Can Do
For developers building telecom, security, or privacy-focused applications: understand that SS7 and Diameter vulnerabilities are systemic infrastructure issues, not device bugs. Don’t rely on telecom network security. Consider end-to-end encryption (Signal protocol), app-based authentication instead of SMS-based 2FA, and privacy-preserving architectures.
Users should adopt encrypted messaging apps like Signal or WhatsApp and disable unnecessary location services. The industry needs unified signaling firewalls, regulatory oversight of telecom leasing practices, and international cooperation to close surveillance loopholes. But until telecom operators prioritize security over legacy compatibility, app-level protection remains the best defense against ghost companies tracking your every move.
