How Surveillance Companies Hide in Phone Networks to Track Your Location

Surveillance companies have found their way into the systems that connect mobile phone networks around the world by pretending to be legitimate telecom operators. They exploit decades-old security flaws in the protocols—think of these as the "languages" that let phone networks talk to each other—to pinpoint where mobile phones are located across international borders, according to new research from Citizen Lab, a digital rights organization based in Toronto.

The report, published Thursday, describes two new surveillance operations that abuse weaknesses in SS7 and Diameter protocols. These are the communication systems that allow mobile networks worldwide to relay calls, send messages, and enable roaming—when you travel abroad and your phone still works on a foreign network. Surveillance actors have learned to inject fake messages into these systems, targeting specific phone identities (known as IMSIs), to force responses that reveal a person's location.

Vietnamese Operator Tracks Users Across Africa

From November 2022 to June 2023, Gmobile, a Vietnamese mobile operator owned by GTel Mobile and the Vietnam Ministry of Public Security, ran systematic location-tracking attacks across African countries. The company deployed five different fake network identities to conduct surveillance operations.

The Vietnam Ministry of Public Security has a documented history of human rights concerns, including censorship and internet restrictions, according to the Citizen Lab report.

During the first half of 2023 alone, researchers identified approximately 171 mobile networks in 100 countries sending targeted location-tracking messages to operators in Africa—a sign of how widespread these unauthorized surveillance operations have become.

Fake Companies Pose as Real Telecom Providers

The research named three operators allegedly involved in surveillance activity: Israeli operator 019Mobile, British provider Tango Networks U.K., and Airtel Jersey, a Channel Island operator now owned by Sure. These companies appear to have obtained access to international phone networks by posing as legitimate telecom providers.

When asked about the allegations, Gil Nagar, head of IT and security at 019Mobile, said the company cannot confirm that infrastructure attributed to them in the research actually belongs to 019Mobile. Sure CEO Alistair Beak stated the company does not knowingly lease its network access for location tracking or surveillance.

Worth flagging: Tracking down who is actually responsible for surveillance becomes difficult when bad actors can use fake network identities or exploit systems they have hacked into without the legitimate operator knowing about it.

Old Protocols, New Exploits

The SS7 protocol that powers 2G and 3G networks was designed decades ago without authentication or encryption built in—meaning anyone who can access the network can potentially send messages and receive location data. The newer Diameter protocol used in 4G and 5G networks has better security features, but only if mobile carriers actually implement them properly.

The global system that controls international phone connections—called IPX (IP eXchange)—is supposed to restrict access to only legitimate mobile operators, not third parties who could abuse the system. But enforcement of these rules varies widely across different countries and networks.

In this author's view, having followed the original SS7 vulnerability disclosures over a decade ago, the fact that these attacks continue to work shows how hard the telecom industry has found it to balance the need for networks to stay connected and easy to use against the need to lock down security. The very thing that makes global roaming possible—networks staying open to each other—is what surveillance companies have learned to weaponize.

Other Ways to Track Your Phone

The telecom surveillance findings arrive as concerns grow about location tracking through other channels. Police and intelligence agencies use phone advertising data to track people through systems like Webloc, built by Cobwebs and sold by data brokers like Penlink, which can access information from up to 500 million devices.

Law enforcement has deployed tools like Fog Reveal to search through hundreds of billions of records from 250 million mobile devices—often without a warrant. Local police departments use this data to create detailed maps of where people have been, sometimes going back months in time.

Major U.S. carriers—Verizon, AT&T, Sprint, and T-Mobile—promised to stop selling your location data to data brokers. However, a data broker called LocationSmart says it only provides location information with user consent.

Courts and Lawmakers Start Pushing Back

The widespread surveillance has triggered legal cases around the world. In July 2021, the Gulf Center for Human Rights filed a complaint in France against NSO Group, alleging the company is responsible for harm to human rights defenders in the Middle East and North Africa. In Thailand, human rights lawyer Arnon Nampa and legal reform advocate Yingcheep Atchanont filed a case in June 2023 accusing Thai state agencies of privacy violations using NSO Group's Pegasus spyware.

In the United States, the Supreme Court has agreed to rule on whether broad search warrants that collect cellphone location history to find suspects near crime scenes are constitutional. A federal appeals court in New Orleans had already ruled that these "geofence warrants" violate the Fourth Amendment's protection against unreasonable searches.

Different Countries, Different Rules

Governments around the world are taking different approaches to location surveillance. India's government is considering a telecom industry proposal to require smartphone makers to turn on satellite location tracking that cannot be disabled—despite objections from Apple, Google, and Samsung.

Analysis: The telecom industry faces a hard choice: keep networks open and interconnected (which is what makes global calling and roaming work) or lock them down with security measures (which could slow down or complicate legitimate network operations). SS7, the protocol that handles much of this, was designed in the 1970s—long before anyone worried about modern security threats—yet it remains essential for international calls and emergency services.

This research shows that both state-sponsored surveillance operations and commercial vendors exploit the same protocol weaknesses, creating a murky threat landscape where network operators struggle to tell the difference between legitimate traffic and malicious surveillance.

As mobile networks shift to 5G, the chance to fix these fundamental vulnerabilities is closing. The decision to either maintain compatibility with old systems or implement serious security upgrades will determine whether the next generation of mobile networks stays vulnerable to the surveillance techniques that have plagued cellular networks for more than a decade.