Hackers Exploit SS7 and Diameter Protocols to Track Mobile Users Worldwide

A new investigation by Citizen Lab has exposed long-running global surveillance campaigns exploiting core weaknesses in mobile network infrastructure.

The report, titled “Bad Connection,” reveals how commercial surveillance vendors (CSVs) abuse SS7 and Diameter signaling protocols to track individuals worldwide without needing access to their devices.

These attacks highlight systemic flaws in global telecom networks, in which legacy protocols designed for seamless connectivity are now being leveraged for covert surveillance.

The Flaws in SS7 and Diameter Protocols

Signaling System No. 7 (SS7), widely used in 3G networks, operates on a trust-based model between telecom operators.

It lacks modern security features such as strong authentication and encryption, making it highly vulnerable to abuse.

Threat actors can gain access to the signaling network through third-party providers and send malicious requests.

For example, a simple “Provide Subscriber Information” query can reveal the exact cell tower a user is connected to, enabling precise location tracking.

Although Diameter was introduced to improve security in 4G and early 5G networks, it remains vulnerable.

Modern networks still rely on SS7 for backward compatibility, creating an opportunity for attackers to exploit both protocols simultaneously.

By leveraging “combined attach” mechanisms, attackers can downgrade secure Diameter connections and reroute requests through SS7, effectively bypassing security controls.

Citizen Lab identified multiple campaigns using different attack techniques:

• STA1: Used SS7 and Diameter switching, spoofed telecom operator identities across nine countries, targeted high-profile telecom executives.
• STA2: Delivered malicious SMS messages containing hidden SIM commands to extract location data, enabled broader surveillance.

These campaigns demonstrate how attackers combine network-level access with device-level techniques to expand tracking capabilities.

Researchers observed that attackers impersonate legitimate telecom providers, acting as “Ghost Operators.”

By spoofing operator identities, malicious signaling traffic blends with normal roaming activity, making detection difficult.

Citizen Lab linked this activity to real telecom infrastructure across multiple countries, suggesting the use of centralized surveillance platforms.

These platforms are marketed to governments, intelligence agencies, and private entities. Capabilities include:

• Real-time location tracking.
• Interception of calls and SMS messages.
• Bypassing two-factor authentication mechanisms.

Notably, these attacks do not require malware deployment, making them stealthy and harder to detect.

The findings align with growing concerns among regulators and cybersecurity experts. Agencies such as the Federal Communications Commission have launched investigations into SS7 and Diameter vulnerabilities.

However, experts warn that patching individual protocols is insufficient. Since SS7 and Diameter coexist in modern telecom environments, attackers can exploit gaps between them.

To mitigate these risks, telecom operators must deploy unified signaling firewalls capable of analyzing cross-protocol traffic.

These systems can detect anomalies, block unauthorized queries, and prevent location tracking attempts.

Without coordinated global action, the structural weaknesses in telecom signaling networks will continue to enable large-scale surveillance operations.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Hackers Exploit SS7 and Diameter Protocols to Track Mobile Users Worldwide appeared first on Cyber Security News.