Security researchers say they have caught a surveillance company in the Middle East exploiting a new attack capable of tricking phone operators into disclosing a cell subscriber’s location.
The attack relies on bypassing security protections that carriers have put in place to protect intruders from accessing SS7, or Signaling System 7, a private set of protocols used by the global phone carriers to route subscribers’ calls and text messages around the world.
SS7 also allows the carriers to request information about which cell tower a subscriber’s phone is connected to, typically used for accurately billing customers when they call or text someone from overseas, for example.
Researchers at Enea, a cybersecurity company that provides protections for phone carriers, said this week that they have observed the unnamed surveillance vendor exploiting the new bypass attack as far back as late 2024 to obtain the locations of people’s phones without their knowledge.
Enea VP of Technology Cathal Mc Daid, who co-authored the blog post, told TechCrunch that the company observed the surveillance vendor target “just a few subscribers” and that the attack did not work against all phone carriers.
Mc Daid said that the bypass attack allows the surveillance vendor to locate an individual to the nearest cell tower, which in urban or densely populated areas could be narrowed to a few hundred meters.
Enea notified the phone operator it observed the exploit being used in, but declined to name the surveillance vendor, except to note it was based in the Middle East.
Mc Daid told TechCrunch that the attack was part of an increasing trend in malicious operators using these kinds of exploits to obtain a person’s location, warning that the vendors behind their use “would not be discovering and using them if they were not successful somewhere.”
“We anticipate that more will be found and used,” Mc Daid said.
…