Spy campaigns expose how surveillance vendors hijack telecom networks to track phone locations

Security researchers have uncovered two separate spying campaigns that exploit known weaknesses in global telecom infrastructure to track people’s phone location tracking. According to a new report from Citizen Lab, these operations are likely just a small sample of widespread abuse by surveillance vendors seeking access to cellular networks.

The findings, published Thursday, reveal how vendors operate as “ghost” companies that pose as legitimate mobile providers. By piggybacking on network access, they can look up the real-time location data of targets without their knowledge. This practice, researchers warn, is far more common than previously understood.

How SS7 and Diameter flaws enable phone location tracking

One of the core issues lies in the insecurity of SS7, a set of protocols for 2G and 3G networks that has long been the backbone of global telecom routing. SS7 lacks authentication and encryption, making it easy for rogue operators to exploit. For years, experts have warned that governments and spyware makers can abuse these vulnerabilities to geolocate individuals.

Building on this, the newer Diameter protocol—designed for 4G and 5G—includes better security features. However, Citizen Lab highlights that many providers fail to implement these protections properly. Attackers can still fall back to exploiting SS7 when Diameter defenses are weak. This means that even modern networks remain vulnerable to phone location tracking.

Three telecom providers implicated in surveillance campaigns

Both campaigns share a common thread: they abused access to three specific telecom providers. These companies acted as entry and transit points, allowing surveillance vendors and their government clients to hide behind their infrastructure. The report names 019Mobile (Israel), Tango Networks U.K., and Airtel Jersey (now owned by Sure) as key players.

Sure CEO Alistair Beak told TechCrunch that the company does not lease signaling access for tracking purposes. He stated that Sure has implemented measures to block misuse, including monitoring and suspending suspicious activity. However, Tango Networks and 019Mobile did not respond to requests for comment. Gil Nagar, head of IT at 019Mobile, sent a letter to Citizen Lab saying the company “cannot confirm” that the identified infrastructure belongs to them.

Two distinct methods of phone location tracking

The first campaign relied on exploiting SS7 flaws, switching to Diameter when needed. Researchers believe this operation was run by an Israeli-based commercial geo-intelligence provider with deep telecom integration. The second campaign used a different approach: sending special SMS messages to a “high-profile” target’s SIM card.

These messages, known as SIMjacker attacks (first documented by Enea in 2019), communicate directly with the SIM card without alerting the user. They can turn a phone into a location tracking device. Gary Miller, one of the Citizen Lab researchers, noted that these attacks are geographically targeted and difficult to detect. “I’ve observed thousands of these attacks through the years,” he said, calling them “a fairly common exploit.”

Why this matters for privacy and security

Miller emphasized that these two campaigns are just the tip of the iceberg. “We only focused on two surveillance campaigns in a universe of millions of attacks across the globe,” he explained. The findings underscore how telecom network abuse remains a persistent threat, especially for high-profile individuals like journalists, activists, and political figures.

For more on how these vulnerabilities work, check out our guide on SS7 security risks and how to protect yourself. Also, learn about Diameter protocol exploits in 5G networks.

What can be done to stop phone location tracking?

Telecom providers must implement stronger authentication and monitoring for signaling protocols. Governments should enforce stricter regulations on surveillance vendors and their access to network infrastructure. For individuals, using encrypted communication apps and disabling location services when not needed can help reduce exposure.

As Citizen Lab’s report makes clear, the abuse of telecom networks for phone location tracking is not a theoretical risk—it’s happening now. The question is how quickly the industry will close these gaps before more targets are compromised.