Global Espionage Exploiting Mobile Networks Uncovered
Severity: High (Score: 67.0)
Sources: hpi.de, Citizenlab.Ca
Published: · Updated:
Keywords: mobile, networks, researchers, uncover, espionage, hasso, plattner
Severity indicators: pla
Summary
A research team from Hasso Plattner Institute and University of Toronto revealed that commercial surveillance vendors exploit vulnerabilities in mobile networks to track individuals. Their report, 'Bad Connection,' identifies two sophisticated surveillance campaigns utilizing the SS7 protocol, which lacks authentication in 2G and 3G networks. The study analyzed firewall data and discovered simultaneous location-tracking requests from operators in nine countries, indicating a large-scale operation. Additionally, invisible SMS messages targeting SIM cards were found to be used for extracting location data. The findings highlight the significant risks posed by these vulnerabilities, which remain largely unaddressed in many mobile networks. Key Points: • Commercial surveillance vendors exploit mobile network vulnerabilities for tracking. • Two sophisticated surveillance campaigns identified, involving multiple countries. • SS7 protocol weaknesses allow unauthorized location tracking without user consent.
Detailed Analysis
**Impact** Mobile network users worldwide are affected, with surveillance campaigns observed across operators in nine countries. The exploitation enables precise location tracking of individuals, impacting privacy and potentially compromising sensitive personal and operational data. The scale and coordination suggest commercial surveillance vendors servicing multiple clients, including governments, indicating a broad geopolitical and sectoral reach. **Technical Details** Attackers exploit vulnerabilities in SS7 (2G/3G) and Diameter (4G/5G) protocols, primarily due to lack of authentication and incomplete implementation of encryption. Two main TTPs identified are: sending signaling queries to determine a phone’s connected cell tower and using invisible SMS commands processed by SIM card applications to extract location data. The use of “Global Titles” allows attackers to impersonate legitimate network participants. No specific malware or CVEs were mentioned. **Recommended Response** Mobile network operators should restrict or ban leasing of “Global Titles” and implement full authentication and encryption mechanisms in Diameter protocol deployments. Monitoring for unusual signaling queries and invisible SMS traffic targeting SIM cards is advised. Regulators should enforce stricter governance on telecom infrastructure to reduce exploitation risks. No specific patches were detailed; focus should be on protocol hardening and anomaly detection.
Source articles (2)
- Researchers Uncover Espionage in Mobile Networks — Citizenlab.Ca · 2026-05-29
Citizen Lab doctoral fellow Swantje Lange spoke with the Hasso Plattner Institut (HPI) sophisticated surveillance campaigns being used to exploit mobile networks, sharing that “the mobile network is h… - Researchers Uncover Espionage In Mobile Networks — hpi.de · 2026-05-29
Tracking people via their mobile phones is a standard trope in crime dramas and spy movies. Now, a research team from the Hasso Plattner Institute (HPI) and the University of Toronto has demonstrated…
Timeline
- 2026-05-29 — Research report published: HPI and University of Toronto released findings on mobile network espionage, detailing exploitation methods and scale of operations.
- 2026-05-29 — Findings shared with Citizen Lab: Swantje Lange discussed the report's implications and the complexity of mobile networks in a Citizen Lab article.
Related entities
- T1041 - Exfiltration Over C2 Channel (Mitre Attack)
- Diameter Protocol (Platform)
- SS7 Protocol (Platform)