Surveillance Vendors Exploit SS7 and Diameter Protocols to Track Phones Worldwide, Citizen Lab Finds

SS7 surveillance exposed with hooded hacker silhouette and red world map of phone tower connections

A new Citizen Lab investigation has just confirmed what telecom security researchers have warned about for years: commercial surveillance vendors are actively exploiting decades-old SS7 and Diameter protocol weaknesses to silently track phone locations across 2G, 3G, 4G, and even 5G networks anywhere in the world. Two specific spying campaigns have been publicly documented, and the targets are not just dissidents and journalists.

What SS7 and Diameter Actually Are

SS7 is the signalling protocol that lets phone networks talk to each other — it's how your phone roams when you land in another country, and how SMS gets routed across operators. Diameter is the modern equivalent for 4G and 5G. Both were designed in an era when mobile carriers were a small, trusted club. There is essentially no authentication for the kind of cross-network signalling messages an attacker would use to locate or intercept a phone.

For at least a decade, security researchers have demonstrated that with cheap access to the SS7 network — typically rented from a shell carrier — anyone can send a "location update" query and find out where any phone in the world is, accurate to a tower.

What the New Citizen Lab Report Reveals

Citizen Lab and TechCrunch have jointly documented two ongoing campaigns. The first abuses SS7 across older networks, with the bulk of the activity routed through telecom intermediaries based in Eastern Europe and the Middle East. The second targets Diameter on 4G and 5G networks, demonstrating that even modern networks still leak location data when proper STP firewalls are not in place.

Citizen Lab traced operator footprints to several known commercial surveillance vendors and at least one previously undocumented player. The targets identified so far include political figures, journalists, and corporate executives across more than a dozen countries.

This builds on the recent Penlink Webloc story, which Citizen Lab confirmed could track 500 million mobile devices via ad networks. The two reports paint a coherent picture: surveillance has industrialised, and the attack surface is wide open.

Why 5G Did Not Fix This

The cellular industry sold 5G as a security upgrade. In some ways it is — 5G adds optional encryption of subscriber identifiers and stricter authentication. But "optional" is the key word. Most operators still run mixed networks with 2G/3G/4G fallback, so an attacker who cannot exploit 5G directly simply downgrades the target into a more vulnerable protocol.

The financial incentives are also against deployment of strong defences. Filtering signalling traffic is expensive, and a "missed" filter rule can degrade roaming for paying customers. Operators have historically erred toward keeping the lights on rather than locking down signalling.

My Take

This is embarrassing for the telecom industry, full stop. The SS7 problem has been known since at least 2008. Researchers have been demoing this on conference stages for nearly two decades. Commercial surveillance vendors have been openly selling SS7 access services in grey-market forums. The fact that Citizen Lab still has fresh evidence in 2026 means operators have not done the basic work.

If you carry a phone — and you do — you should assume location data is leakable to any sufficiently motivated buyer. That is not paranoia, it is the current state of the protocol stack. The fix has to come from regulators forcing operators to deploy STP firewalls, not from individual users.

Frequently Asked Questions

What is SS7 and why is it insecure?

SS7 (Signalling System No. 7) is the legacy protocol carriers use to route calls and SMS between networks. It assumes all participants are trusted operators, with little authentication. An attacker with cheap access to an SS7 connection can send queries that reveal a phone's location anywhere in the world.

Can SS7 attacks intercept my calls?

Yes. In addition to location tracking, SS7 attacks can be used to intercept SMS, redirect calls, and bypass SMS-based two-factor authentication. Authenticator apps (TOTP) and hardware security keys are far safer than SMS for high-value accounts.

Does 5G fix SS7 vulnerabilities?

Not by default. 5G adds new security features but most networks still fall back to 2G, 3G, or 4G in some contexts, leaving the underlying SS7 and Diameter exposure intact. Operators must explicitly deploy signalling firewalls (STP firewalls) to mitigate it.

Who is behind these surveillance campaigns?

Citizen Lab has linked the campaigns to known commercial surveillance vendors and at least one previously unidentified player. The infrastructure is largely routed through grey-market telecom intermediaries in Eastern Europe and the Middle East.

The Bottom Line

The latest Citizen Lab disclosure is yet more evidence that mobile network security is structurally broken at the signalling layer, and that commercial surveillance vendors are happy to monetise the gap. Until regulators force operators to actually deploy signalling firewalls and retire 2G/3G fallback paths, your phone's location and SMS will continue to be silently available to whoever can pay for it. Use authenticator apps, not SMS, for anything that matters.