Full Report
Researchers said it’s the first-ever mapping of attack traffic to mobile operator signalling infrastructure. The post Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Exploitation of SS7 and Diameter Signaling Protocols for Geolocation Tracking
## CVE Details
- **CVE ID**: N/A (Architectural flaws in global telecommunications protocols)
- **CVSS Score**: N/A (Service-provider level exploitation)
- **CWE**: CWE-1385 (Missing Origin Validation in Signaling System No. 7) / CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
## Affected Systems
- **Products**: Global mobile carrier infrastructure.
- **Versions**: 3G (SS7), 4G/LTE (Diameter), and non-standalone 5G networks.
- **Configurations**: Roaming inter-connectivity pathways and interconnected signaling gateways between international mobile operators.
## Vulnerability Description
The vulnerability stems from an "inherent trust" model used in the Signalling System No. 7 (SS7) and Diameter protocols. These protocols were designed to facilitate international roaming and billing by allowing operators to exchange subscriber information. However, they lack robust authentication for the origin of messages.
Commercial surveillance vendors (referred to as "ghost operators") obtain access to the global signaling network—often through leasing arrangements with legitimate smaller carriers or third-party providers. Once connected, they send specifically crafted MAP (Mobile Application Part) or Diameter Sh/Cx requests to a target's Home Location Register (HLR) or Home Subscriber Server (HSS). These requests trick the network into revealing the victim's current cell tower location (CGI/ECGI) without the victim's knowledge or consent.
## Exploitation
- **Status**: **Exploited in the wild**. Targeted surveillance campaigns have been mapped to infrastructure in Cambodia, China, Israel, Italy, and several other nations.
- **Complexity**: High (Requires access to the restricted global signaling core).
- **Attack Vector**: Network (Signaling layer).
## Impact
- **Confidentiality**: High (Real-time physical location tracking and potential interception of SMS/calls).
- **Integrity**: Medium (Ability to manipulate traffic routing).
- **Availability**: Low (Primary goal is covert surveillance, not disruption).
## Remediation
### Patches
- There is no "patch" for these protocols as the flaws are architectural.
- Transitioning to **5G Standalone (SA)** with Subscription Concealed Identifier (SUCI) provides better protection, though many 5G networks still rely on vulnerable 4G/Diameter cores.
### Workarounds
- **Signaling Firewalls**: Operators must implement advanced signaling firewalls that perform Category 1, 2, and 3 screening to block suspicious cross-border packets.
- **Location Privacy**: Some mobile OS features allow for limited privacy, but they cannot prevent network-level tracking by the carrier.
## Detection
- **Indicators of Compromise**:
- Unusual volumes of `AnyTimeInterrogation` (ATI) or `ProvideSubscriberInfo` (PSI) requests for specific subscribers.
- Signaling traffic originating from Global Titles (GTs) or Point Codes (PCs) that do not match the expected geographic origin of the roaming partner.
- **Detection Methods**:
- **Signaling Monitoring**: Carriers should use automated tools to monitor for "steered" traffic and spoofed operator identities.
- **Citizen Lab Research**: Analysis of "hostnames" and "network nodes" used by surveillance vendors to mask their activity.
## References
- Citizen Lab Report: [https://citizenlab.ca/research/uncovering-global-telecom-exploitation-by-covert-surveillance-actors/]
- FCC Probe on Signaling Security: [https://docs.fcc.gov/public/attachments/DA-24-308A1.pdf]
- News Coverage: [https://cyberscoop[.]com/surveillance-campaigns-use-commercial-surveillance-tools-to-exploit-long-known-telecom-vulnerabilities/]