How a Surveillance Vendor Used an SS7 Exploit to Track Phones
If you’ve ever wondered how secure your phone truly is, you’re not alone. Recent revelations show a surveillance vendor in the Middle East exploited a dangerous vulnerability in SS7, a critical telecom protocol, to track people’s phone locations without their knowledge. This SS7 attack bypassed existing carrier defenses and gave the vendor access to cell tower data — a chilling reminder of the vulnerabilities that exist in our mobile infrastructure. In this blog, we’ll break down what SS7 is, how the exploit works, who’s affected, and what’s being done to stop it.
Image Credits:Getty Images
By unpacking the technical details in a clear, people-first way, we’ll help you understand why SS7 attacks matter, how they’re being weaponized by surveillance vendors, and what users and telecom companies can do to mitigate the threat.
Understanding the SS7 Protocol and Why It’s Vulnerable
SS7, or Signaling System 7, is a decades-old protocol that forms the backbone of global telecommunications. It allows cell phone networks to exchange key information such as call routing, text messaging, and — crucially — location data. It’s a system originally designed for trust between telecom operators, but over time, this trust has become a glaring vulnerability.
Surveillance vendors have exploited SS7 vulnerabilities in the past by gaining access through either compromised local operators or through leasing global titles — unique identifiers that allow companies to send and receive network signals. Once inside, attackers can request a device’s location by querying the network for which cell tower a phone is connected to, often narrowing down a person’s whereabouts to within a few hundred meters. These SS7 attacks are not just theoretical; they’ve been actively used to spy on journalists, activists, and even political dissidents.
This latest case, uncovered by cybersecurity firm Enea, shows a new bypass method that gets around the firewalls some telecom companies have installed to block unauthorized SS7 queries. According to Enea’s VP of Technology, Cathal Mc Daid, the surveillance company has been using this new SS7 attack since late 2024 — meaning real people’s locations were being tracked without their consent, and possibly without their knowledge, for months.
Who Is Behind the Attack and Who’s at Risk?
Although Enea has not publicly named the surveillance vendor, it confirmed that the company is based in the Middle East and had targeted only a “few subscribers.” While that may sound limited, it highlights a disturbing reality: If one vendor can successfully bypass SS7 protections, others can—and likely will—follow. Surveillance vendors typically work with or for governments, and they often justify their actions as being in the interest of national security. However, history shows that such tools are frequently used against members of civil society, including journalists, human rights defenders, and political opponents.
What makes this even more alarming is that users can’t protect themselves from SS7 attacks. These vulnerabilities exist at the network level, meaning even strong phone-level security like end-to-end encryption or app permissions won’t help. The burden of defense falls squarely on telecom operators and national regulators. Unfortunately, the global telecom infrastructure is inconsistent in its security measures. Some carriers have robust firewalls and monitoring, while others — especially in developing or authoritarian-leaning countries — do not.
This inconsistency has made SS7 a valuable tool for international surveillance. A 2017 U.S. Department of Homeland Security report noted that countries like China, Iran, Israel, Russia, and Saudi Arabia have exploited SS7 vulnerabilities to spy on U.S. subscribers. It’s a global issue with few boundaries, and it's becoming increasingly difficult to contain as surveillance vendors continue to innovate.
What Can Be Done About SS7 Exploits and How Can You Stay Aware?
The first and most crucial step in preventing SS7-based surveillance is improving telecom-level defenses. That includes implementing comprehensive SS7 firewalls, real-time monitoring for unusual signaling activity, and stricter international agreements about who can access SS7 networks. Telecom operators must treat SS7 threats as seriously as they do malware or DDoS attacks. As cybersecurity expert Cathal Mc Daid pointed out, the fact that these bypass attacks are successful means there’s still much work to be done.
Governments also need to take a more aggressive regulatory stance. U.S. Senator Ron Wyden, for example, has been vocal in pressuring telecom companies and federal agencies to address SS7 vulnerabilities. But international coordination is essential. Without clear regulations, bad actors will continue exploiting loopholes in less secure countries to target people worldwide.
For individuals, while you can’t block SS7 attacks directly, you can stay informed and support privacy-focused mobile providers. You can also use secure messaging apps that limit metadata collection and keep sensitive conversations off traditional SMS networks. While that doesn’t protect your location data from being retrieved via SS7, it does help minimize your overall digital footprint.
Ultimately, SS7 attacks like the one discovered by Enea are a stark reminder that even the most foundational layers of our digital lives are vulnerable to abuse. The best defense is transparency, pressure for reform, and holding surveillance vendors — and their government clients — accountable.
Post a Comment