Hackers Exploit SS7 and Diameter to Track Mobile Users Globally

A new investigation by Citizen Lab has brought to light a series of long-running global surveillance campaigns that exploit critical weaknesses in mobile network infrastructure. According to the report titled “Bad Connection,” commercial surveillance vendors (CSVs) are actively abusing SS7 and Diameter signaling protocols to track individuals across the globe without requiring direct access to their mobile devices. This discovery, therefore, raises serious concerns about user privacy and the security of telecom networks worldwide.

To begin with, these attacks expose fundamental flaws in telecom systems that were originally designed to ensure seamless communication between operators. However, threat actors are now leveraging these same systems for covert monitoring. As a result, millions of mobile users remain vulnerable to unauthorized tracking and surveillance.

Signaling System No. 7 (SS7), which continues to play a significant role in 3G networks, operates on a trust-based model between telecom providers. Unfortunately, it lacks modern security safeguards such as strong authentication and encryption. Because of this, attackers can exploit the system by gaining access through third-party providers and sending malicious signaling requests. For instance, a simple “Provide Subscriber Information” query can reveal the exact cell tower a user is connected to, allowing precise real-time location tracking.

At the same time, although Diameter was introduced to improve security in 4G and early 5G networks, it still remains susceptible to exploitation. In fact, modern telecom environments rely on SS7 for backward compatibility, which creates additional opportunities for attackers. By using techniques such as “combined attach,” malicious actors can downgrade secure Diameter connections and reroute them through SS7. Consequently, this enables them to bypass existing security controls with relative ease.

The report further highlights multiple surveillance campaigns that employ advanced attack strategies. In one case, attackers used SS7 and Diameter switching while spoofing telecom operator identities across nine countries, targeting high-profile telecom executives. In another instance, threat actors delivered malicious SMS messages containing hidden SIM commands, which allowed them to extract location data and expand their surveillance reach. These findings clearly demonstrate how attackers combine network-level access with device-level manipulation to enhance their tracking capabilities.

Moreover, researchers observed that attackers often impersonate legitimate telecom operators, effectively acting as “Ghost Operators.” By doing so, they ensure that malicious signaling traffic blends seamlessly with normal roaming activity, making detection significantly more difficult. Citizen Lab also linked this activity to real telecom infrastructure across multiple countries, suggesting the involvement of centralized surveillance platforms that enable such operations at scale.

These platforms are reportedly marketed to governments, intelligence agencies, and private organizations, offering capabilities such as real-time location tracking, interception of calls and SMS messages, and even bypassing two-factor authentication mechanisms. Notably, these attacks do not require malware deployment, which makes them particularly stealthy and harder to detect using traditional cybersecurity tools.

In response to these alarming findings, global regulators and cybersecurity experts have expressed growing concern. Agencies like the Federal Communications Commission have already initiated investigations into vulnerabilities associated with SS7 and Diameter protocols. Nevertheless, experts warn that addressing these issues in isolation will not be sufficient. Since both protocols coexist within modern telecom networks, attackers can continue to exploit the gaps between them.

Therefore, industry experts emphasize the urgent need for telecom operators to adopt unified signaling firewalls capable of analyzing cross-protocol traffic. Such solutions can help detect anomalies, block unauthorized requests, and ultimately prevent unauthorized location tracking attempts. Without coordinated global action, however, these structural weaknesses will continue to enable large-scale surveillance operations, leaving user privacy at significant risk.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com

🔒 Login or Register to continue reading

Tags: Diameter, mobile tracking, SS7, surveillance, telecom security

CyberTech Media Room

CyberTech Media Room is the editorial intelligence arm of CyberTech Insights, focused on delivering high-impact narratives at the intersection of cybersecurity, data infrastructure, AI systems, and enterprise risk. Built for decision-makers, analysts, and technology leaders, the CyberTech Media Room translates complex security developments into structured, actionable intelligence. Its coverage spans threat landscapes, regulatory shifts, cyber resilience frameworks, and emerging technologies shaping modern enterprise defense. The editorial approach is grounded in three principles: Signal over noise — prioritizing relevance, depth, and strategic clarity over volume Intelligence-led storytelling — combining data, expert perspectives, and market context Decision utility — ensuring every piece contributes to informed business or technology outcomes CyberTech Media Room collaborates with industry practitioners, researchers, and enterprise leaders to surface insights that matter—from boardroom-level risk considerations to operational security strategies. Positioned beyond traditional media, it operates as a strategic intelligence layer for organizations navigating an increasingly complex and adversarial digital environment.