The article emphasizes that SS7 vulnerabilities have been publicly known since at least 2008, with repeated demonstrations of location tracking and call interception. The protocols were designed in a trust-all era with no meaningful authentication, and any entity with signaling access can query the location of any subscriber on any connected network worldwide.
The article documents how surveillance vendors obtained signaling access through commercial agreements with smaller telecom operators or aggregators, then used that access to issue location queries far beyond any legitimate business purpose. The research identified specific anomalous patterns — high-frequency pings against small sets of numbers, queries from networks with no roaming relationship — that distinguish covert tracking from normal operations.
The editorial highlights that the abuse was only uncovered because researchers identified telltale query patterns — timing signatures consistent with real-time tracking, queries originating from unrelated networks, and anomalous frequency against targeted numbers. Without this independent research shared ahead of publication, the surveillance activity would have continued undetected within the opaque telecom signaling infrastructure.
Security researchers have documented surveillance vendors exploiting their commercial access to telecom operator networks to track the real-time physical locations of targeted individuals' phones. The vendors — companies that sell location-tracking and interception capabilities to government clients — were caught using their positioning within the global telecom signaling infrastructure to issue location queries against mobile subscribers, effectively turning carrier partnerships into covert surveillance channels.
The abuse runs through SS7 (Signaling System 7) and its 4G/5G successor Diameter — the signaling protocols that mobile networks use to route calls, deliver SMS messages, and hand off subscribers between towers. These protocols were designed in an era when every node on the network was a trusted telephone company; they have no meaningful authentication, and any entity with signaling access can query the location of any subscriber on any connected network worldwide. The surveillance vendors obtained this access through commercial agreements with smaller telecom operators or aggregators, then used it to ping location databases far beyond any legitimate business purpose.
The research — shared with TechCrunch ahead of publication — reportedly identified specific patterns of location queries that could not be explained by normal network operations: high-frequency pings against small sets of phone numbers, queries originating from networks with no roaming relationship to the target subscriber, and timing patterns consistent with real-time tracking rather than routine signaling.
### The SS7 problem is older than most developers' careers
SS7 vulnerabilities have been publicly known since at least 2008, when researcher Tobias Engel demonstrated location tracking at the Chaos Communication Congress. In 2014, researchers from SRLabs showed they could intercept calls and SMS messages via SS7 from anywhere in the world. In 2017, the U.S. Department of Homeland Security acknowledged the threat in a public study. Despite over a decade of warnings, most mobile operators have not deployed SS7 firewalls or signaling security measures, because the protocols are deeply embedded in inter-carrier roaming, billing, and SMS delivery infrastructure.
What makes this latest finding different is the vector: it's not nation-state hackers or criminal groups buying black-market SS7 access. It's commercial surveillance companies with legitimate, contractual access to telecom signaling networks — companies that exist in a legal gray zone, selling capabilities to law enforcement and intelligence agencies while operating with minimal oversight of how that access gets used day-to-day.
### The supply chain of surveillance
The telecom signaling ecosystem is a supply chain problem. A surveillance vendor doesn't need to hack a carrier. They need a business relationship with any operator or signaling hub that connects to the global SS7/Diameter network. Smaller operators in jurisdictions with limited regulatory oversight are the typical entry points. Once connected, the vendor can reach subscribers on any carrier in any country — AT&T, Vodafone, T-Mobile, it doesn't matter — because the signaling network is globally interconnected by design.
This is the telecom equivalent of a supply chain attack: compromise one node, reach every node. The researchers' findings suggest that the vendors were querying subscribers across multiple countries and carriers, well beyond any plausible scope of authorized use.
The Hacker News discussion around this story surfaced a familiar frustration among practitioners: the gap between what's technically possible and what's actually defended. Multiple commenters with telecom experience noted that SS7 firewalls exist and work, but carriers treat them as cost centers rather than security requirements. The incentive structure is broken — carriers don't bear the cost of surveillance abuse; their subscribers do.
### What the industry hasn't fixed
GSMA, the industry body representing mobile operators, has published SS7 security guidelines and a signaling firewall framework. Some large carriers — particularly in Northern Europe — have deployed firewalls that filter suspicious signaling messages. But adoption is patchy. A 2023 ENISA report found that a significant percentage of European operators had not implemented basic SS7 monitoring, let alone active filtering. In markets outside Europe and North America, deployment is even thinner.
The transition to Diameter (used in 4G LTE networks) was supposed to improve things. It didn't, materially. Diameter adds TLS as an option, but in practice, most inter-carrier Diameter connections run unencrypted, and the protocol's trust model is fundamentally similar to SS7: any connected node can issue queries. 5G's signaling architecture (HTTP/2-based, with mutual TLS and OAuth2 tokens) is a genuine improvement, but it will take a decade or more before SS7 and Diameter can be fully decommissioned — and most of the world's mobile subscribers are still reachable via the legacy protocols.
### If you build anything that touches phone numbers or carrier identity
Developers who rely on SMS-based 2FA, carrier-based identity verification, or phone number as a user identifier should internalize this: the carrier network is not a trusted channel. It hasn't been for years, but findings like this make the case concrete. SMS OTP is not two-factor authentication; it's one factor (something you know) plus a wish (that nobody is intercepting your carrier signaling).
The practical move: migrate to app-based TOTP (Google Authenticator, Authy), WebAuthn/passkeys, or push-based verification. If you must use SMS, treat it as a fallback, not a primary factor, and implement anomaly detection on authentication patterns.
### If you build location-aware applications
If your application's threat model includes location privacy — and for many apps, it should — understand that carrier-level location data is accessible to entities beyond the carrier itself. This doesn't mean GPS or Wi-Fi positioning in your app is compromised, but it does mean that a user's physical location may be known to third parties regardless of your app's privacy controls. For applications serving journalists, activists, domestic violence survivors, or anyone with a physical safety concern, this is a first-order threat.
Consider: do you store phone numbers alongside sensitive data? Do you use phone number as a primary key? Every phone number is a potential location query target. Architect accordingly.
### If you work in telecom or infrastructure
If you operate signaling infrastructure — as an MVNO, a signaling hub, an SMS aggregator — you are part of this supply chain. Audit your signaling partners. Deploy Category 1 and Category 2 SS7 firewalls per GSMA guidelines. Monitor for anomalous location query patterns. The researchers who caught these vendors did it by analyzing signaling traffic; you can do the same on your own network.
This story will follow a familiar arc: outrage, congressional letters, carrier PR statements about taking security seriously, and then nothing changes for most subscribers. The structural incentive problem — carriers profit from signaling access and don't bear the cost of its abuse — won't be solved by research papers. It requires either regulation with teeth (the EU's European Electronic Communications Code has provisions, but enforcement is weak) or a market shift where subscribers can actually choose carriers based on signaling security posture. Neither is imminent. In the meantime, the practical response for developers is the same as it's been for a decade: stop trusting the phone network. Build like it's compromised, because it is.
One of the biggest lies about the surveillance state is that it'll be professional.NSA employees have used multi-billion dollar American surveillance assets to spy on women they're infatuated with. There's even a cute term for it, LOVEINT.https://www.nbcnews.com/news&#x
Yeah, a friend of mine was tracked by a stalker ex boyfriend who worked at a Telco.It was irritatingly difficult to avoid because it seemed he could look up her SIM card by name and then get her location no matter what (new SIM, new phone)Anyone who reports this kind of thing to the police just soun
This is just par for the course in Russia. Government has telcos track people, and that data ends up available on the black market for anyone to purchase, for a fairly modest fee. The government has been recently trying (with uncertain degree of success) to crack down on the latter, as this was freq
> Gary Miller, one of the researchers who investigated these attacks, told TechCrunch that some clues point to an “Israeli-based commercial geo-intelligence provider with specialized telecom capabilities,” but did not name the surveillance provider. Several Israeli companies are known to offer si
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
I was training to be a 911 dispatcher a while ago. When they told us about getting someone’s location from the cell company outside of what was available automatically from e911 or whatever— which required them to be on the phone with you, so not useful if you get a text saying they just drove off a