Surveillance vendors are leveraging telecommunications infrastructure to extract targets’ location data, according to a report released Thursday by researchers at **Citizen Lab**, a research institute at the University of Toronto that tracks digital surveillance. The report details campaigns exploiting weaknesses in telecom infrastructure, allowing unnamed vendors to secretly pose as real cellular providers and pinpoint victims’ locations. One identified campaign involved sending text messages with malicious hidden SMS commands to targets, effectively turning the device into a covert tracking beacon, according to the report. ### SS7 and Diameter Protocol Exploitation The other campaign relied on weaknesses in **Signaling System 7 (SS7)**, a set of protocols for cellular networks. These protocols have long been abused due to the fact that they are the primary way networks send users’ calls and text messages to their contacts. **SS7** protocols are primarily used in older 3G networks and are particularly vulnerable because they lack source verification and authentication of signaling messages, and do not use encryption, the report stated. The surveillance vendors also targeted **Diameter** protocols, used for newer 4G and 5G networks. Although **Diameter** protocols were designed with security protections absent in **SS7**, many operators have not implemented these safeguards, the report notes. ### The Attack Vector Both campaigns exploited the same three telecom networks to gain access to users’ locations. According to the report, these mobile networks "repeatedly appear as the surveillance entry and transit points within the telecommunications ecosystem," functioning as gateways that allow traffic to move through trusted signaling interconnections while granting access to threat actors hiding behind their infrastructure. ### Possible Israeli Connection Evidence suggests an Israeli company may be behind the surveillance, according to Gary Miller, one of the report's authors. "The techniques that were used were specifically designed to obfuscate the source, but in looking at the routing of that traffic — it is routing that is injected into the mobile ecosystem — I could see that the traffic would have taken the path back to Israel," Miller said. While **Citizen Lab**'s research is unique in identifying specific examples of attacks, Miller notes that such attacks are commonplace. "We're not talking about a few spyware attempts," Miller said. "These are massive, massive amounts of unauthorized traffic, and 90 plus percent of them are being generated by third parties accessing the mobile signaling environment. It's such a huge issue that has not been addressed." <a href="https://www.recordedfuture.com/platform?mtm_campaign=ad-unit-record" rel="noopener noreferrer">Learn more.</a> [](https://therecord.media/?utm_source=therecord&utm_medium=ad)